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PRIVACY AND DATA SECURITY: PROTECTING 
CONSUMERS IN THE MODERN WORLD 


WEDNESDAY, JUNE 29, 2011 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 10 a.m. in room SR- 
253, Russell Senate Office Building, Hon. John D. Rockefeller IV, 
Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
U.S. SENATOR FROM WEST VIRGINIA 

The Chairman. We’ve got to begin. This hearing will come to 
order. This is the third hearing on consumer privacy that we’ve had 
in this committee in the 112tli Congress. As I have repeatedly em- 
phasized, Americans are often unaware of the vast amounts of in- 
formation that are being collected on them and then used usually 
to their detriment. 

I’ve focused on the need for companies to provide everyday con- 
sumers with a clear understanding of what information they are 
collecting, where the information is going, and how it’s being used. 
I’ve also asked companies to give consumers an easy way for them 
to stop those collection processes. I don’t think this is too much to 
ask of companies that are making a lot of money and a lot of 
money that comes off of consumers’ personal information. 

That should not be happening in America. This is a new cost of 
doing business in America, and people have to understand that. 
Government doesn’t subsidize what companies need to be doing to 
protect privacy. 

Poll after poll shows that Americans are increasingly concerned 
about their loss of privacy, and these same polls show that Ameri- 
cans don’t know what to do about it. I’ve had endless meetings in 
my state, as I’m sure Senator Kerry and Senator Toomey have, 
also. They don’t know what to do about it. 

It’s my intent, as Chairman of this Committee of jurisdiction — 
and I say that very clearly for many to hear — to change all of this. 
I want ordinary consumers to know what is being done with their 
personal information, and I want to give them the power to do 
something about that. 

That is why I’ve introduced S. 917, the Do-Not-Track Online Act 
of 2011. This bill is based on a very simple concept. With an easy 
click of the mouse, consumers can tell all online companies they do 
not want their information collected, period. One click, no informa- 

( 1 ) 
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tion collected. Under my bill, companies would be obliged to honor 
that request. It’s that simple. 

Senator Kerry has also introduced a bill, S. 799, the Commercial 
Bill of Rights Act of 2011, which is a very comprehensive piece of 
legislation that governs many facets of all of this and of the econ- 
omy, indeed. It’s a very good piece of legislation. 

And other members of the Committee have similarly voiced 
strong interest in privacy matters. I believe these hearings form 
the basis for building bipartisan consensus about really doing 
something about this. 

Now, today’s hearing is also about data security, which directly 
implicates consumer privacy. We are reminded of this. I’m afraid, 
every day in the headlines. 

The recent security breaches at Citibank, Sony, and Epsilon 
show that companies are increasingly vulnerable to cyber attacks 
that compromise the safety and the privacy of Americans. I’m not 
concerned about the breaches. I’m concerned about what happens 
to American people as a result of that. Well, I’m concerned about 
the breaches, too. 

When criminals break into a database and steal credit card num- 
bers, Social Security numbers, or even e-mail addresses, they can 
use this information to commit identity theft, which can have dev- 
astating consequences for the victims. 

That is why Senator Pryor and I have introduced once again this 
year, S. 1207, the Data Security and Breach Notification Act, the 
same bill that we introduced in the last Congress. The bill will im- 
pose an obligation on companies to adopt basic security protocols 
to protect sensitive consumer data, and it would further require 
these companies to notify affected consumers in the wake of a secu- 
rity breach — again, a cost of doing business in the New World. 

The bill would also require greater transparency for something 
called the data broker industry, not one of my favorite subjects to 
talk or think about. These are companies that amass vast amounts 
of data on consumers, sell that information to other companies, 
usually for marketing purposes, and they make a lot of money for 
it. Most people don’t even know they exist. They’ve never heard of 
them. They have no idea that their privacy is being invaded, used, 
sold, and marketed. 

So there’s a broad consensus that federal data security legisla- 
tion is necessary. The Administration included a breach notification 
provision similar to the provision of S. 1207, Pryor’s and my bill, 
in its cyber security proposal. In order for this bill to be ready for 
floor consideration as part of the larger cyber security effort, I will 
work with Senator Pryor and all of my colleagues to make sure 
that all of this works out. 

I now call on Senator Kerry. I warn you we have some votes at 
11, so we’re going to be hurrying just a bit. 

STATEMENT OF HON. JOHN F. KERRY, 

U.S. SENATOR FROM MASSACHUSETTS 

Senator Kerry. Indeed, and, Mr. Chairman, in that spirit. I’ll try 
to be very quick, because we do have about five votes, I think, com- 
ing up. 
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First of all, thank you for holding this hearing. And I want to 
thank you for the meeting that we had the other day to discuss, 
not just our bill, but the whole approach of the Committee. And I 
pledge to work with you as closely as possible as we try to find a 
broad-based and, hopefully, consensus approach to the challenges 
of this issue. 

What we’re discussing today is really the ability of people to sort 
of control or have some impact on the way profiles about them — 
a digital profile or multiple digital profiles — are compiled on almost 
all of us and then sliced and diced and traded in a marketplace 
where many people are not, as you have just remarked, appro- 
priately in control of what happens to them. 

We also are here to discuss the need to establish uniform stand- 
ards for the security of the private networks that hold our informa- 
tion. Now, when I talk about privacy. I’m talking about the ability 
of people to exercise choice and control over how their informa- 
tion — I repeat, their information — is collected, used, and distrib- 
uted. 

Data security is a subset of that issue and about how companies 
can secure the information that they collect on people and what 
they need to do in the case of a security lapse. Both are serious 
matters. 

When a company is hacked, and the information of hundreds of 
thousands of their consumers is taken, the individuals whose infor- 
mation is revealed are obviously exposed to the risk of the hackers 
who stole it using that information in any number of ways, but 
particularly to harm them. The company that is hacked is hurt by 
being exposed to reputational damage and harmed relations with 
its customers. 

And establishing uniform procedures for how to react in the case 
of a security lapse and increasing incentives for having strong secu- 
rity procedures is, I think, a necessary goal and well addressed in 
the data breach legislation that you, Mr. Chairman, and Senator 
Pryor have introduced. 

But data security requirements alone are not going to give people 
authority over how their information is collected or its use and dis- 
tribution. Data security is just one piece of the overall privacy puz- 
zle. 

After working with Senator McCain and others for some months 
on this issue — ^you mentioned the legislation, Mr. Chairman, a mo- 
ment ago that we’ve introduced, and I appreciate your comments 
about it. We need to find a way to meld the various approaches 
that are out there and to build, obviously, a consensus within this 
committee — I agree with you, the Committee of jurisdiction — in 
order to be able to protect people. 

Beyond accountability security, I think that the legislation we’ve 
contemplated is going to give people meaningful and specific expla- 
nations and control on how their information is being collected, 
used, and distributed, as well as, importantly, the power to opt-out 
of those practices. 

I think Senator Rockefeller’s approach is a good one, a strong 
one, an important one, the Do-Not-Track. It’s one component of it. 
But I do think that beyond that, we still have to deal with this 



4 


question of choice over how your information is managed even if 
you do consent to it. 

And so I think that what we’ve put forward is a comprehensive 
bipartisan proposal as a starting point. 

And, Mr. Chairman, I think it’s critical to work with you. Sen- 
ator Kay Bailey Hutchison, Senator Snowe, and others on the Com- 
mittee, in order to bring more people to the table, and I certainly 
look forward to doing that. 

I do want to point out that at the moment, sort of in the center 
of this debate — there are a couple of polls, but in the center, you’ve 
got major companies, like Intel, Microsoft, eBay, Hewlett-Packard, 
as well as consumer advocates represented by the Consumers 
Union and others who are helping us to try to focus this in the 
right direction. 

And, finally, you know, we have expert agencies represented here 
today. The Federal Trade Commission, the Department of Com- 
merce, the Federal Communications Commission — they’ve all been 
doing what they can to protect Americans using the legal tools 
available to them and using their ability to convene the stake- 
holders and the experts and then educate themselves and con- 
sumers on the changing practices in this rapidly moving and ever 
evolving world we live in. 

But the fact is that they don’t have all the tools necessary. And 
that’s why this discussion is so important. 

So I look forward to working with you, Mr. Chairman, making 
sure we have a complete picture of what is going on in the market 
today from which we can draw the best conclusions about how to 
proceed to have a smart, baseline, commercial privacy protection 
put into law. And I thank you for focusing intently on this impor- 
tant issue. 

The Chairman. Thank you. Senator Kerry. 

Senator Toomey. 

STATEMENT OF HON. PATRICK TOOMEY, 

U.S. SENATOR FROM PENNSYLVANIA 

Senator Toomey. Thank you very much, Mr. Chairman, for hold- 
ing another hearing on this very important topic. I appreciate that, 
and I agree with Senator Kerry’s characterization that data secu- 
rity is one subset of consumer privacy, which is itself, though, a 
very broad topic. 

On data security, there seems to be broad support among indus- 
try stakeholders, consumer advocates, and many Members of Con- 
gress for a national standard. And it’s certainly an issue that Con- 
gress is likely to address legislatively in the near future. 

In recent years, there have been a number of high profile data 
breaches affecting consumers nationwide. And establishing a single 
federal standard for notifying victims of data breaches and pro- 
tecting sensitive information is something I do think we should 
consider seriously. 

I look forward to working with the Chairman and other members 
of the Committee in, hopefully, addressing this in a constructive 
and bipartisan manner. 

On the broader issue of privacy, however. I’m not sure there is 
yet a consensus on how to best protect consumers or whether a leg- 



5 


islative solution is, indeed, the best method for doing so. So before 
Congress considers comprehensive privacy legislation that would 
have a significant impact on businesses large and small and on 
consumers, I think we need to thoroughly examine this issue and 
make sure that we don’t apply a solution in search of a problem. 

I’m very interested to hear from our witnesses today on what, 
specifically, is most concerning to consumers when it comes to pri- 
vacy; what consumers’ expectations are regarding their privacy; 
and what, if any, real harm has occurred from online data collec- 
tion and how to best address any such harms. In a world where 
millions of people voluntarily share very personal information on 
websites like Facebook and Twitter on a daily basis. I’m not sure 
exactly what consumer expectations are when it comes to privacy. 
But I am pretty sure that different consumers have different expec- 
tations about privacy. 

I’m also not sure who’s best suited or even qualified to make the 
determination. Should it be Congress? Should it be the Federal 
Trade Commission? Or neither? Perhaps industry and consumers 
should set the standard by mutual consent in their interactions. 

These are the issues that I hope we will carefully examine. And 
I’m hopeful that we can make some progress on them today. 

My colleagues who have introduced legislation in this field are 
certainly very well-intentioned and its thoughtful legislation. But I 
am not sure that we’ve fully considered the unintended con- 
sequences that could attach to these proposals. 

The Internet and the communications marketplace have flour- 
ished and fueled tremendous economic growth in part because ex- 
cessive government regulation has not yet occurred. In fact, Amer- 
ican innovation in this field far outstrips the innovation that’s oc- 
curring in other places, including Europe, where much more exten- 
sive regulation currently exists. 

So, the Internet clearly has changed the way we communicate 
and do business very much for the better. And we should be careful 
about imposing new rules and regulations that might unnecessarily 
harm future innovations. 

I’m sure no one on this committee wants to “break the Internet” 
or limit many of the popular online services consumers can access. 
In order to avoid fundamentally altering the current online experi- 
ence, and creating these unintended consequences, I just urge that 
we all proceed with caution. 

One very brief example, for instance — overly restrictive regula- 
tions for online advertising would likely result in consumers having 
access to fewer free online services and applications. I’m not sure 
that we’re qualified at this point to make the judgment of what 
that trade-off ought to be. 

I want to protect privacy online, and I want consumers to feel 
comfortable when using the Internet. But until we have a clear pic- 
ture of the harm we’re trying to address and have looked at a cost- 
benefit analysis of any new privacy legislation, I have reservations 
about moving forward with a legislative mandate. 

That said, there are a number of ideas that have been put on the 
table that I do find appealing. One example is the idea that maybe 
we ought to consider consolidating privacy enforcement and over- 
sight into a single federal agency rather than multiple agencies. 
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So on this and this entire range of topics, I look forward to work- 
ing with you, Mr. Chairman, and the other members of the Com- 
mittee. Again, I thank you for holding this hearing. And I’d like to 
ask consent to have a statement prepared by the National Retail 
Federation included in the record. 

[The information referred to follows:] 

Prepared Statement of the National Retail Federation and Shop.org 

Chairman Rockefeller, Ranking Member Hutchison and members of the Senate 
Committee on Commerce, Science, and Transportation, on behalf of the National Re- 
tail Federation and its division Shop.org, I appreciate the opportunity to submit this 
written statement to the Committee in connection with its hearing entitled “Privacy 
and Data Security: Protecting Consumers in the Modern World” held on June 29, 
2011 . 

As the world’s largest retail trade association, the National Retail Federation’s 
global membership includes retailers of all sizes, formats and channels of distribu- 
tion, as well as chain restaurants and industry partners from the U.S. and more 
than 45 countries abroad. In the United States, NRF represents the breadth and 
diversity of an industry with more than 1.6 million American companies that em- 
ploy nearly 25 million workers and generated 2010 sales of $2.4 trillion. Shop.org, 
a division of the National Retail Federation, is the world’s leading membership com- 
munity for digital retail. Founded in 1996, Shop.org’s 600 members include the 10 
largest online retailers in the U.S. and more than 60 percent of the Internet Retailer 
Top 100 E-Retailers. 

I. Introduction: Information is the Lifeblood of Retail Success and Growth 

Retailers are by their very nature marketers and advertisers. Consumer informa- 
tion used for these purposes is the lifeblood of the industry, and the catalyst for its 
growth. Trends and revolutions in retailing, such as the rise of e-commerce, are 
fueled by the sharing of information between merchants and their customers. The 
information collected by retailers ensures the right merchandise is stocked on 
shelves, customers are offered the best sales and promotions to get them in the door, 
and stores are opened in locations where demand is the highest, to name just a few 
of the important uses of consumer information. 

As businesses that have direct, first-party relationships with their customers, re- 
tailers understand why the gathering and use of some customer information for 
these and other lawful purposes may still raise consumer privacy concerns despite 
the clear benefits that the smart use of information has provided to consumers over 
the years. Indeed, privacy and security considerations are of paramount concern to 
retailers for that very reason, and their goals are to be as responsive to consumer 
concerns as possible. In a very competitive industry that averages only 2 percent 
profit margins, retailers distinguish themselves on the quality of their customer 
service and the shopping experience they provide. Protecting customers’ information 
is an important part of that mission. 

Furthermore, we agree with the Committee that privacy considerations should be 
taken seriously by all businesses — from securing important human resources infor- 
mation to protecting databases that hold sensitive customer information. However, 
we also believe that some of the legislative proposals being considered by the Com- 
mittee go too far in restricting customary and lawful uses of information that are 
essential to retail businesses, and we are concerned that some of the provisions 
could have the unintended effect of stifling innovation and growth in our industry 
at a critical time for our economy and the retail sector as a whole. 

II. The Continuing Growth of E-Commerce as a Retail Channel 

Retailers have spent the last fifteen years revolutionizing the way Americans shop 
by giving each and every consumer greater access to a wide variety of brands, goods, 
and services at highly competitive prices both in their stores and online. E-com- 
merce has brought millions of new customers to retailers’ virtual stores and has also 
served to increase new customer traffic in traditional brick-and-mortar shops as 
well. According to the Shop.org-released annual study. The State of Retailing Online 
(“SORO”), conducted each year by Forrester Research, Inc., online retail sales 
soared to $156 billion in 2009 and are projected to likely exceed the $200 billion 
mark in 2012. ^ 


The State of Retailing Online 2009. 
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As retailers continue to fine-tune their selling and marketing strategies, con- 
sumers, in particular, have become more comfortable shopping online — especially 
with retailers that they know and trust. By the end of 2009, online sales accounted 
for 6 percent of all retail sales.^ In contrast, it took the catalog industry 100 years 
to represent just 4.7 percent of all retail sales. ^ What has made this online retail 
revolution possible is the widespread access to the Internet and e-mail by American 
consumers, and the ability for retailers to actively and nimbly adapt to their cus- 
tomers’ evolving shopping preferences. Retailers are constantly re-designing and 
adding new features to their online sites, striving to create the most relevant con- 
tent and consumer-friendly web experiences for their customers. This helps retailers 
maintain their customer base, draw in new shoppers, and improve overall conver- 
sion rates. As noted previously, retailers must be relentless about delivering the 
most compelling and relevant experience to their customers because that is how 
they differentiate themselves in an extremely competitive, volume-driven business 
that operates on low profit margins. 

The key to the constant evolution of retail marketing and sales is the information 
that retailers have collected about their customers’ shopping preferences in stores 
and on their websites over time. That being said, retailers take their customers’ pri- 
vacy and security seriously and have an excellent track record of using customer 
information in order to deliver relevant and targeted marketing. Retailers have long 
understood that keeping their customers happy is the most essential part of build- 
ing positive long-term business relationships. However, retailers do not want to fun- 
damentally alter an entire medium for effective information collection and use. We 
believe that effective and enforceable self-regulation and, in the case of retailing, in- 
dustry leadership (or “best practices”), are among the most effective ways to protect 
consumers while still enabling businesses to maintain the flexibility to innovate and 
adopt new technologies to better serve their customers. 

There is an old saying that “the customer is always right,” and that could not be 
truer in the retail industry as retailers must meet customers’ constantly evolving 
expectations. If they do not meet their customers’ expectations or, worse, violate 
their trust, customers will not be happy and they will shop elsewhere. Given the 
limitless number of shopping choices presented to American consumers every day, 
particularly online, there’s a new saying in online retail that is particularly appro- 
priate in this context: “Competition is only one click away.” 

With retailers’ interests aligned with their customers’ interests in terms of satis- 
fying their needs and allaying their concerns, honoring consumers’ privacy and mar- 
keting preferences and securing their data is of paramount importance. For this rea- 
son, retail customers are very likely to have their privacy and security expectations 
met and they continue to maintain significant control over the business relationship. 
The Federal Trade Commission (“FTC”) recognized as much in its December 2010 
staff report on a proposed U.S. privacy framework (the “FTC Privacy Report”), not- 
ing that it had less concerns about these types of consumer information practices 
than others."^ 

III. Views on Proposed Data Security Provisions in Current Legislation 

There are many ways that retailers are currently securing information as well as 
protecting sensitive customer information. First, to the extent that retailers act as 
credit grantors, they must abide by the statutory privacy and data security protec- 
tions required by the Gramm Leach Bliley Act (“GLBA”), The Fair Credit Reporting 
Act (“FCRA”), and the Fair and Accurate Credit Transactions Act (“FACTA”). Fur- 
ther, any retailer that processes and retains third-party credit card information is 
currently subject to the Payment Cards Industry (“PCI”) standards program devel- 
oped by Visa, MasterCard, American Express and Discover. These statutes and pro- 
grams do not apply to non-sensitive marketing data, as their goal is to provide im- 
portant protections for consumers’ most sensitive financial data because its misuse 
may lead to identity theft or other significant financial harm. 

A. Data Minimization and Retention 

While we generally support legislation that would create uniform national data 
security standards, some of the proposed provisions in privacy and data security 
bills, such as data retention standards, would be problematic. We also agree that 
non-sensitive customer data should be protected as part of proposed data security 
standards, but believe that such protection must be proportionate to the type and 


2/d. 

2 The State of Retailing Online 2002. 

‘^See Preliminary FTC Staff Report, “Protecting Consumer Privacy in an Era of Rapid 
Change,” December 1, 2010 (hereinafter, “FTC Privacy Report”). 
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sensitivity of the data. A few examples here may be helpful for the Committee’s re- 
view and consideration. 

First, provisions that would require deletion of data unless there is a legitimate 
business need for continued retention must be flexible, as the needs will vary great- 
ly from business to business, and companies should not be subject to arbitrary time 
limits for how long data can be stored. Retailers, for instance, have many legitimate 
uses for customer data, from fraud prevention to inventory planning, to planning 
marketing campaigns and store openings. As a result, we believe data retention de- 
terminations must be left to the business itself. In fact, in the 46 states and 3 fed- 
eral territorial jurisdictions that have recently enacted data security and breach no- 
tification statutes, none have legislated a specific time period for data retention and 
we would urge Congress to do as these states and jurisdictions have done. 

Additionally, while the FTC Privacy Report advises that data retention periods 
should be linked in some way to the type or sensitivity of the data being collected, 
this should not force retailers to arbitrarily dump marketing information that they 
have expended significant resources to develop and that may be relevant to their 
businesses in the future. For example, innovations in retailing and e-commerce are 
fueled by data analytics and other widely used Customer Relationship Management 
(“CRM”) techniques that rely heavily on complete and reliable sources of informa- 
tion. Congress should therefore be cautious in setting one-size-fits-all retention peri- 
ods for industry that could have the significant unintended consequence of forcing 
the removal of critical data from businesses that, in turn, may limit their future 
market growth and ability to compete when innovative new uses for that informa- 
tion are later developed. 

In addition to marketing, data retention is necessary to provide customers with 
a seamless experience. For instance, if a customer purchases a couch from a retailer 
and then 24 months later would like to complete the set, it is critical for the retailer 
to have all of the information about the initial purchase stored in its system in order 
to provide the customer with the service that customer expects and to which they 
have become accustomed. The time period for a retailer wishing to provide good cus- 
tomer service is dependent upon the retailer’s reasonable expectations and experi- 
ence concerning its typical customers’ needs. 

B. Accuracy, Access and Correction Rights for Non-Sensitive Data 

We disagree with proponents of data security legislation who believe businesses 
should be required to ensure the absolute accuracy of non-sensitive marketing data 
that they collect under the mistaken premise that it might result in a customer not 
receiving an important benefit. Information that is used to determine eligibility for 
credit, employment, housing, insurance, and other important financial services, is 
certainly the type of information that may cause economic harm if its inaccuracy 
leads to a denial of such service. However, information accuracy, access and correc- 
tion rights are already provided for this type of sensitive information under several 
federal laws, including FCRA and FACTA. 

With respect to non-sensitive marketing data, it is certainly in a retailers’ best 
interest to have generalized information about their customers’ product interests in 
order to send them the most relevant marketing, but marketing files do not merit 
the same level of scrutiny as credit and financial information because, by their very 
nature, this non-sensitive information is not used to deny consumers important ben- 
efits (such as credit, employment, housing, or insurance). Moreover, even moderate 
inaccuracy of non-sensitive marketing information ie.g., an incorrect sock size or 
color preference) typically cannot cause significant economic harm to an individual 
in the same way that the denial of credit, employment, housing and insurance 
might. 

For these reasons, we would advise that the Committee reconsider the inclusion 
of accuracy, access and correction rights for non-sensitive marketing information in 
any proposed data security or privacy legislation. On the other hand, as a matter 
of good practices, we do believe that access to customer information should generally 
be restricted to those with an articulable business “need to know.” 

C. Private Rights of Action 

We appreciate that none of the proposed data security or privacy bills being con- 
sidered by the Committee establish new private rights of action as part of their en- 
forcement regime. As the Committee can appreciate, retailers are already subject to 
massive fines and expenses for data security violations under actions by the Federal 
Trade Commission, state attorneys general and private entities (for PCI standards 
enforcement) — costs which collectively run into the millions of dollars. In its consid- 
eration of the Committee’s legislation, we strongly urge Congress not to amplify 
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these costs by also subjecting every American business that accepts a credit card 
to the potential ruinous compounding of additional private litigation. 

rV. Views on Proposed Privacy Provisions in Current Legislation 

A. Scope of Covered Information 

The scope of legislative proposals to protect consumer privacy has often been a 
key issue for retailers and is again a factor that we urge the Committee to carefully 
consider. In proposed legislation, the definitions of covered information (where pro- 
vided and not left to the discretion of the FTC) are often overly inclusive of non- 
sensitive and even non-personal information. For example, as currently drafted, the 
Kerry-McCain privacy bill would cover nearly all data collected for commercial use, 
no matter how sensitive or innocuous, if that data can be linked to a specific con- 
sumer, computer or device. 

Additionally, while the legislative language states that it covers all commercial 
entities that collect data in both online and offline contexts, the statements of Sen- 
ator Kerry and the testimony offered at the Committee’s privacy hearings this year 
have focused more keenly on online data collection and the provision of consumer 
choice in these channels. Given that the offline collection of consumer data is much 
more layered than online collection, and that offering consumer notices and choice 
mechanisms offline will be much more onerous on businesses and consumers alike, 
we strongly suggest that legislative proposals be narrowed to simply address signifi- 
cant known consumer protection concerns and not be crafted as one-size-fits-all pro- 
posals intended to cover every possible instance in which data — particularly non- 
personally identifiable data — is collected in the course of doing business. To do so 
would be tantamount to regulating all information in our information economy, 
which we believe would have significant unintended consequences. 

Moreover, the proposed broadening of the definition of “covered information” in 
the bill to include data that is not personally identifiable information (“PII”) is trou- 
bling. The FTC Privacy Report concluded that “any data that relates to a person 
has privacy implications and, therefore, should be protected appropriately.”® How- 
ever, having a proposed privacy framework whose scope would be broadly defined 
to cover any data that can be “linked” to a consumer, computer or mobile device 
is one that is as broad as covering all data itself, since any data can be conceivably 
linked to any other data in a database. The implied breadth of regulation in the 
FTC Privacy Report goes well beyond the agency’s consumer protection mandate 
and, in terms of practicality, is simply untenable. 

The Commission also noted that the ability to re-identify customers from anony- 
mous data has caused the traditional understanding of PII to lose significance. How- 
ever, in the examples the FTC presents in the report, the companies involved were 
either violating their own privacy policies or the policies of the company that hired 
them. These types of corporate transgressions should be properly handled under the 
FTC’s currently authorized enforcement regime, and not become the stated cause for 
the complete redefinition of what has traditionally been considered PII. Further- 
more, maintaining a carefully crafted definition of covered information based on the 
same concepts of PII that underlie current federal privacy laws would provide some 
natural boundary to proposed privacy legislation so that the scope of new govern- 
ment regulations for consumer protection purposes is tied to data that actually iden- 
tifies consumers. 

B. Exceptions for Common First-Party and Third-Party Practices 

The first-party marketing exception is extremely important to retailers in all mar- 
keting channels.® Retailers have been advertising and marketing to their own cus- 
tomers since retail began. A century ago, pioneering general stores kept careful logs 
of what customers bought, and often extended simplified credit “terms” or deferred 
payment based on the shopping histories of loyal customers. In towns and cities, 
local haberdashers knew their customers’ measurements and preferences by heart, 
and neighborhood pharmacies were places where simple medical advice was dis- 
pensed while the community gathered at the lunch counter to share news and con- 
nect. What was once face-to-face interaction with a brick-and-mortar small business 
has, over time, evolved in to customer loyalty programs such as those found at a 
favorite grocer, department store, and on popular websites known for serving up tar- 
geted customer recommendations and providing one-click ordering services. 


5 prpQ Privacy Report, p. 39. 

® Whether legislation narrows the scope of the exception to only cover the online collection of 
data is significant, as first-party marketing is a vital tool to retailers in multiple channels in- 
cluding, in-store, catalog, online and mobile. 
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In the FTC Privacy Report, the Commission asked if first-party marketing should 
be limited to the context in which the data is collected from the consumer, and the 
Kerry-McCain bill limits the exception in certain similar ways. Our view is that the 
online or offline channel in which first-party marketing is conducted should not 
cause the exception to be narrowed to the use of information collected only in that 
channel because a customer’s common understanding is that he or she is doing busi- 
ness with a single retailer, even if that interaction happens in one of several avail- 
able mediums. A few examples here again may be helpful to the Committee. 

As the Committee knows, retailers operate across all channels and consumers 
have come to expect a seamless shopping experience whether they are browsing the 
retailer’s site online or on their mobile device, or browsing the store’s aisles at the 
local shopping center. Consumers do not differentiate or segment out their experi- 
ences with a retailer, and retailers must accommodate their expectations. Inte- 
grating online and offline consumer information allows retail customers to enjoy in- 
tegrated services, such as in-store returns for online purchases, and the ability to 
shop with loyalty points and coupons through the medium that is most convenient 
for them. It also allows for the deployment of new technologies such as in-store ki- 
osks that permit online ordering or allow customers to manage their wedding and 
baby registries or personalized “wish lists.” Customers often appreciate receiving 
marketing promotions in several different ways as well. For those customers whose 
preferences are specific, opt-outs for mail and e-mail can be easily obtained under 
current law and marketing self-regulation programs. It is also well-known that rep- 
utable retailers respect customer preferences as a matter of good customer service. 

Again, whether a customer shops in-store, online, through a mobile application or 
by catalog, that consumer’s assumption is that they are shopping with a single re- 
tailer. The first-party marketing exemption should be extended to cover all of these 
environments in which retailers interact with their own customers. Additionally, the 
exception should cover customer marketing information that is shared with affiliates 
as well as third-parties who are operating seamlessly within the four walls of the 
retail operation, such as leased departments or in-home services. 

For example, some retailers have launched integrated websites where customers 
can switch from one brand to the next easily. A few are even utilizing common shop- 
ping carts and web-based check-out services, truly t3dng together their business 
lines. If an affiliate or service-provider exception were not included within the first- 
party marketing exception, it could seriously harm these growing programs. Addi- 
tionally, department stores have historically relied on leased departments and other 
third-parties to provide their in-store customers with specialized, branded products 
(e.g., cosmetics, sunglasses, jewelry, etc.) and additional customer services {e.g., hair 
salons, photo studios, appliance repair, etc.). If these types of relationships are not 
considered within the scope of the first-party marketing exception, it could critically 
damage these relationships and force a complete reorganization of traditional retail 
department store practices that underlie the provision of these services — even pos- 
sibly limiting their future availability to consumers. 

The final question posed by the FTC Privacy Report about first-party marketing 
asks how the proposed framework should handle the process of data enhancement, 
whereby a company obtains information about its customers from other sources to 
enrich its customer databases. This practice should not be considered different from 
first-party marketing and thereby subject to enhanced notice-and-choice regulations, 
but should fall under similar exceptions for “first-party marketing.” Data enhance- 
ment tools are used for many different purposes: customer relationship management 
(CRM), marketing (especially targeted marketing), internal business planning (e.g., 
locating stores and planning inventory), loss prevention, fraud prevention and prod- 
uct and service fulfillment. For instance, if a retailer did not use third-party data 
enhancement to keep current with its customers, it could mistakenly send pro- 
motional coupons to a deceased customer’s household without ever knowing it. By 
confirming current addresses with third-party service providers, a retailer also 
might avoid sending mail to an old address for products which may be unwanted 
or irrelevant to the new resident. Many consumers often do not bother updating 
their mailing address even with their favorite retailer, simply assuming they will 
continue to receive discounts and promotions from the same store at their new mail- 
ing address. In another example, retailers commonly run shipping addresses pro- 
vided by a consumer against fraud prevention lists, and if new addresses raise red 
flags in the future, they may be subject to further scrutiny via data enhancement 
tools. 

If these types of common data practices were to fall outside of the exceptions for 
commonly accepted practices in federal legislation, and be subject to a new customer 
notice-andchoice regime, what are now routine first-party processes would have to 
be noticed by retailers and customers would be constantly bombarded with mar- 
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keting “choices” at the point of sale, whether in a store, on the Internet, or on their 
mobile devices. This would be extremely disruptive to the retail customer experience 
and, furthermore, provides no conceivable benefit to consumers because these com- 
mon practices are not ones that consumers are complaining about in the first place. 

C. Offering Consumer Choice in the Context in Which It Is Made (Online and 
Offline) 

The FTC Privacy Report states that to “be most effective, companies should pro- 
vide the choice mechanism at a time and in a context in which the consumer is 
making a decision about his or her data.”'^ Indeed, some suggest that allowing con- 
sumer choice is very technologically workable in the online context. It is true that 
technology has made real-time notice and choice regimes more palatable and, when 
taken individually, disruptions in the flow of the customer’s experience may not 
seem like a big deal to a lay person. However, in terms of overall conversion rates, 
these types of “hiccups” or consumer annoyances can be devastating to retailers. 

We all know how frustrating pop-ups can be when you are simply trying to read 
the latest headlines on a newspaper website. Now transfer that experience to a re- 
tail website, where customers have come to expect a seamless experience from 
homepage to check-out. Even under the best circumstances, average conversion 
rates are only about 3.1 percent and shopping cart abandonment rates still hover 
at 50 percent.® Any additional hurdles would simply serve to frustrate consumers 
and could drive down the number of completed transactions overall. Further, we 
now know from years of experience, even when offered the option, as required by 
law, consumers do not regularly take advantage of these types of programs. In fact, 
by our estimates, only 6 percent of retail customers exercised their right to opt-out 
of marketing e-mails in 2007.® 

To further complicate matters, the FTC Privacy Report suggested, and the pro- 
posed federal legislation would require, notice and consent for the collection of infor- 
mation in-store if that information collection and use fell outside of the exceptions 
for commonly authorized uses. These types of point-of-sale notice requirements are 
extraordinarily burdensome on both the retailer and the consumer in a physical 
store environment. Would a store clerk at point of sale be required to make sure 
a customer both received a privacy policy and understood the choices offered to 
them? Would every clerk in a department store have to repeat the process as a con- 
sumer walked from one third-party administered leased department ie.g., oriental 
rugs) to another (e.g., cosmetics)? Additionally, what new and costly point-of-sale 
technology would be required to record a customer’s marketing choices if they chose 
to opt-out? How would stores be required to keep track of that information (“durable 
opt-out”) when customers can shop in hundreds of store locations in several, if not 
all, states, as well as online? Would a “John Smith” who exercised an opt-out in Or- 
egon be recognized as the same John Smith who visited a store in Florida during 
a family vacation? Or what if John later logged onto the retail website or used a 
retail store’s mobile application on his cell phone? With opt-out rates being histori- 
cally low, would such investments even be worth the expense and employee training 
necessary, particularly given the number of temporary or seasonal employees re- 
tained by a retail store during the course of any given year? 

With these considerations in mind, we ask that the members of the Committee 
reconsider this paradigm altogether and let these types of choices be exercised in 
the context in which a retail privacy policy is commonly offered. For instance, the 
Committee should consider allowing consumers to make marketing choices in the 
context of viewing a retailers’ privacy policy on their website. In turn, we agree that 
marketers should make such policies more accessible to consumers — more easily 
found and in a simplified form. 

The effect of inundating consumers with new notices is also compounded by the 
overly-broad definition of covered information contained in the Kerry-McCain legis- 
lation and the possibility that common practices such as data append or data en- 
hancement are not exempt from these new notice requirements. To require customer 
choice for many activities that fall outside the bill’s exceptions for commonly accept- 
ed practices — for example, transferring customer information for third-party data 
analytics, asking customers about the stage of their pregnancy (a medical condition) 
to market maternity clothes or baby gear, or even deploying cutting-edge mobile 
marketing technologies — will simply make these services much more difficult for re- 
tailers to continue to provide to their customers who want them. 


■'FTC Privacy Report, p. 58. 

®The State of Retailing Online 2007, Part 1 of 2. 
®The State of Retailing Online, 2008. 
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It is also important to mention again that consumers do not traditionally exercise 
choice — they rarely opt-in and they rarely opt-out. The proposed privacy legislation 
appears to force the issue, without perhaps fully considering the continual annoy- 
ance this may create for the average consumer. For many individuals, there is al- 
ready annoyance about being forced to read and sign a health care privacy policy 
notice in a trusted doctor’s office — and that policy covers the protection of their “sen- 
sitive” health information. Imagine the frustration if the web, or the checkout line 
in your favorite store, was littered with warnings about marketing information. Re- 
tailers can imagine, unfortunately, many customers exercising choices with their 
feet — by choosing to shop elsewhere rather than be frustrated by this government 
vision of a satisf3dng consumer shopping experience. 

We are also concerned about federal legislative provisions that would require re- 
tailers to obtain opt-in consent for secondary uses of customer data that were not 
specifically disclosed at the time the data was first collected. We believe this re- 
quirement has the clear potential to stifle investment in future innovative uses of 
that data to benefit consumers. For example, had such a limitation been in place 
a decade ago, it may have prevented the use of data about customers’ purchases to 
help provide recommendations to online shoppers (e.g., suggestions that other cus- 
tomers viewing a particular product also viewed similar products, or a greater per- 
centage of other customers favored one product over another). These recommenda- 
tion services exist on many retail websites today and are strongly favored by online 
shoppers. The use of one customer’s data to make online recommendations to other 
customers may not have been disclosed to consumers in the early stages of the de- 
velopment of these practices. Yet, online consumers have benefited from such inno- 
vations despite not having expressly opted in to these data uses in advance. 

The appropriate choice standard for uses of marketing data and other non-identi- 
fiable or non-sensitive data is meaningful notice and the ability to opt-out, as many 
businesses currently provide. Otherwise, the well-meaning provisions in proposed 
legislation could result in actualizing the tragedy of the commons, whereby no inno- 
vation can take place to develop these beneficial services for customers because none 
of them have opted in to future data uses that permits their creation. 

D. Do-Not-Track Mechanisms 

We live in the “information age” as well as a consumer-driven economy where 
two-thirds of our nation’s GDP is directly attributable to consumer spending. Sti- 
fling information flows and innovations in technology (such as mobile marketing) 
would have a very detrimental effect on newly rebounding retail sales. We are very 
concerned about the FTC’s proposed “Do-Not-Track” mechanism, and question its 
relevancy in light of the recent launch of comprehensive self-regulatory programs 
(such as the Ad Choices program) or the new software being developed and incor- 
porated into Internet browser software. 

Despite its similar sounding name, a Do-Not-Track mechanism would be fun- 
damentally different from each of its predecessor proposals — Do-Not-Call and Do- 
Not-Spam (which the FTC rejected) — in that the opt-out itself would not cover a spe- 
cific phone number or individual’s e-mail address, but instead could only be tied to 
computers or mobile devices that may be shared by multiple individuals within 
households or families. This shared use of devices would require individual con- 
sumers to continually opt-out as they changed devices (even moving from the many 
devices within their own home network: work computer, personal laptop, child’s 
laptop, tower computer. Kindle, iPad, iPhone, Smartphone, and the list goes on) and 
could create significant consumer confusion because of the expectations built on the 
earlier Do-Not-Call program. 

We urge the Committee to allow the new self-regulatory programs and techno- 
logical solutions to take root and for the FTC to revisit this issue in its final privacy 
report only if such programs appear to be failing. Since self-regulatory programs 
exist already, we believe the FTC’s efforts should be focused on consumer education 
and awareness (an area where the Commission has and should play a strong role), 
and not on whether consumers are actually exercising their right to opt out under 
such programs. As we have noted above, when offered choices, most consumers sim- 
ply choose to take no action, even after information is made available to them. It 
is highly probable that, once again, the metrics from the new programs simply may 
not bear out the argument (or expectation) that consumers will opt-out even when 
given great information and tailored choices. We hope that both the Committee and 
the Commission will keep these considerations in mind as you and the FTC review 
the adequacy of existing self-regulatory programs and the necessity of mandating 
a government-run Do-Not-Track mechanism for consumers. 
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V. Conclusion 

Retailers take the privacy and security of their customers’ information seriously, 
and are motivated both by the desire to follow good business practices as well as 
a basic concern of maintaining their customers’ satisfaction and not losing cus- 
tomers as the result of a perceived privacy gaffe or data security breach. We appre- 
ciate the Committee’s focus on privacy and data security legislation and we believe 
that these continued hearings help clarify many of the issues surrounding the de- 
ployment of new and, sometimes controversial, technologies and business practices. 
As it has often been said, “sunlight is the best disinfectant,” and an ongoing dia- 
logue between the Committee and the business community over privacy issues is 
very useful. In particular, the Committee’s ongoing interest in privacy encourages 
businesses to consider more carefully any changes in data collection or use that may 
make consumers feel uncomfortable about the safety and security of customer infor- 
mation. 

That being said, we would encourage the Committee to re-evaluate the breadth 
of the proposed federal privacy legislation and focus more keenly on specific prac- 
tices that may cause real consumer harm. As drafted, the scope of proposed legisla- 
tion focuses on an enormous swath of data and its uses, without narrowly focusing 
on the practices that the Committee might find most harmful to consumers. In De- 
cember 2010, the FTC released its initial staff report on a proposed U.S. policy 
framework for the collection and use of consumer information. While the Commis- 
sion has expressed its concern that the business community did not act quickly 
enough to implement its suggested best-practices to address the more narrow sub- 
ject of online behavioral advertising practices, we have seen a great deal of activity 
in this area from both a technological and self-regulatory standpoint. This indicates 
that the FTC’s more targeted efforts are having their intended effect, and this type 
of issue-by-issue approach, which focuses on specific consumer information uses, 
helps businesses harness important changes in technology that may need to be 
made in order to provide consumers a greater sense of privacy and security. 

In crafting and considering federal privacy legislation, we strongly urge the Com- 
mittee to continue to respect the importance of information to businesses, particu- 
larly those practicing retail business models that have not been the subject of con- 
sumer complaints driving current federal agency inquiries and proposed privacy leg- 
islation. Retailers must collect, use and store information about their own customers 
going forward — it is vital to their businesses — and we continue to believe that first- 
party marketing (or marketing to one’s own customers) should be exempted from 
any new notice-and-choice regime that may be proposed in privacy legislation. Infor- 
mation about customers is the lifeblood of retail, and effective marketing could not 
occur without the ability for retailers to understand their own customers over time 
and cater to their evolving interests in products. When the Committee members con- 
sider that consumer spending accounts for roughly two-thirds of our economy, and, 
that we are on the cusp of an economic recovery, now is the time for retailers to 
reach out even more effectively to their customers to get them into stores and 
spending again. Legislation that has the unintended consequence of limiting such 
important customer communications may very likely have a corresponding negative 
impact on our economy at a time we can least afford it. 

The Chairman. So ordered. I thank the Senator and now turn to 
Julie Brill, who is the Commissioner of the Federal Trade Commis- 
sion, one of the commissioners; and Austin Schlick, who is General 
Counsel of the Federal Communications Commission; and Cameron 
Kerry, General Counsel, the Department of Commerce — three pret- 
ty good witnesses. 

Ms. Brill, if you wish to proceed. 

STATEMENT OF HON. JULIE BRILL, COMMISSIONER, 
FEDERAL TRADE COMMISSION 

Ms. Brill. Thank you. Chairman Rockefeller, and Ranking Mem- 
ber Hutchison and members of the Committee. I am Julie Brill, a 
Commissioner of the Federal Trade Commission. I appreciate the 
opportunity to present the Commission’s testimony today. 

Vast amounts of personal information about consumers are col- 
lected and used by many different types of businesses, employers. 
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retailers, advertisers, data brokers, lenders, insurance companies, 
and many more. Imagine a cash-strapped mother working as a sub- 
stitute teacher and waiting for a permanent opening. She and her 
husband have mounting bills, so to tide them over between pay- 
checks, she gets a payday loan. 

She then goes to the drugstore and buys diapers and Children’s 
Tylenol with her loyalty card. Soon after, in the mail, she gets cou- 
pons for diapers and Children’s Motrin, and she receives an offer 
to refinance her mortgage on terms that seem too good to be true. 

In the evening, the mom goes online to spend time on a social 
network site. While online, she notices she is receiving ads for toys 
and children’s cough medicine, as well as more loan offers. 

Could the drugstore and social networking site have sold infor- 
mation about our consumer’s purchases and interests? Could the 
payday lender have sold information about her need for money to 
other lenders and lead generators, both online and offline, who are 
offering her loans? Could the fact that she is a new mom be sold 
to potential employers? The answer to all of these questions is yes. 

Some of the things I’ve described can offer real benefits. The 
mom probably wants coupons for diapers. But the vast majority of 
consumers are completely unaware that their purchasing history, 
their particular financial situation, information about their health 
and other personal information is sold to data brokers, lead genera- 
tors, lenders, insurance companies, potential employers, and oth- 
ers. 

Most consumers are simply unaware of the data deluge about 
them being collected, sold, and used both online and offline. I am 
concerned about how consumers’ privacy is impacted by these prac- 
tices. 

At the Federal Trade Commission, we are focused on solutions 
that provide consumers with more information and more choices 
about these practices while allowing industry to continue to inno- 
vate and thrive. The FTC enforces laws protecting consumer pri- 
vacy and security, educates consumers and businesses, and engages 
in policy initiatives. 

Our written testimony highlights our many recent significant en- 
forcement efforts related to privacy and data security, including our 
latest action announced just this week against Teletrack, a com- 
pany that sold lists about financially distressed consumers to mar- 
keters. To settle our allegations. Teletrack agreed to comply with 
the Fair Credit Reporting Act and pay a $1.8 million civil penalty. 

Privacy and security continue to be front and center on the Com- 
mission’s policy agenda as well. The Commission has not taken a 
position on whether general privacy or do-not-track legislation is 
needed. But a majority of commissioners, myself included, supports 
widespread implementation of do-not-track mechanisms. 

More generally, the Commission supports strong privacy protec- 
tions. Our preliminary staff privacy report recommended that in- 
dustry build privacy protections into their products and services at 
the outset, simplify choices presented to consumers about privacy, 
and improve transparency relating to data collection and use. 

On data security, the Commission supports the enactment of fed- 
eral data security and breach notification legislation. I am pleased 
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that legislation proposed in this committee aims to accomplish all 
of these goals. 

Thank you for your leadership on consumer privacy and data se- 
curity. We look forward to continuing to work closely with you on 
these critical issues. 

[The prepared statement of Ms. Brill follows:] 

Prepared Statement of Hon. Julie Brill, Commissioner, 

Federal Trade Commission 


I. Introduction 

Chairman Rockefeller, Ranking Member Hutchison, and members of the Com- 
mittee, I am Julie Brill, a Commissioner of the Federal Trade Commission (“FTC” 
or “Commission”).! I appreciate the opportunity to present the Commission’s testi- 
mony on consumer privacy. 

Privacy has been an important component of the Commission’s consumer protec- 
tion mission for 40 years. ^ During this time, the Commission’s goal in the privacy 
arena has remained constant: to protect consumers’ personal information and en- 
sure that they have the confidence to take advantage of the many benefits offered 
by the dynamic and ever-changing marketplace. To meet this objective, the Commis- 
sion has undertaken substantial efforts to promote privacy in the private sector 
through law enforcement, education, and policy initiatives. For example, since 2001, 
the Commission has brought 34 cases challenging the practices of companies that 
failed to adequately protect consumers’ personal information; more than 100 spam 
and spyware cases; and 16 cases for violation of the Children’s Online Privacy Pro- 
tection Act (“COPPA”).3 The Commission also has distributed millions of copies of 
educational materials for consumers and businesses to address ongoing threats to 
security and privacy. And the FTC examines the implications of new technologies 
and business practices on consumer privacy through ongoing policy initiatives, such 
as a recent proposed privacy framework. 

This testimony begins by describing some of the uses of consumer data that affect 
consumers’ privacy in today’s economy. It then offers an overview of the Commis- 
sion’s recent efforts in the enforcement, education, and policy areas. While the testi- 
mony does not offer views on general privacy legislation, the Commission encour- 
ages Congress to enact data security legislation that would: (1) impose data security 
standards on companies, and (2) require companies, in appropriate circumstances, 
to provide notification to consumers when there is a security breach.^ 

II. Information Flows in the Current Marketplaee 

For today’s consumer, understanding the complex transfers of personal informa- 
tion that occur in the offline and online marketplaces is a daunting task. Indeed, 
these information flows take place in almost every conceivable consumer interaction. 
For example, a consumer goes to work and provides sensitive information to her em- 
ployer, such as her Social Security Number, to verify her employment eligibility, 
and bank account number, so that she can get paid. After work, she uses an applica- 
tion on her Smartphone to locate the closest ATM so that she can withdraw cash. 
She then visits her local grocery store and signs up for a loyalty card to get dis- 


! The views expressed in this statement represent the views of the Commission. My oral pres- 
entation and responses to questions are my own and do not necessarily represent the views of 
the Commission or any other Commissioner. Commissioner William E. Kovacic dissents from 
this testimony to the extent that it endorses a Do Not Track mechanism. Commissioner Rosch 
dissents to the portions of the testimony that discuss and describe certain conclusions about the 
concept of Do Not Track. His views are included in an attached Separate Statement. 

2 Information on the FTC’s privacy initiatives generally may be found at business.ftc.gov I pri- 
vacy-and-security. 

3 15 U.S.C. §§6501-6508. 

'^The Commission has long supported data security and breach notification legislation. See, 
e.g., Prepared Statement of the Federal Trade Commission, Data Security, Before the Subcomm. 
on Commerce, Manufacturing, and Trade of the H. Comm, on Energy and Commerce, 112th 
Cong., June 15, 2011, available at http: I / www.ftc.gov I os /testimony 1 110615datasecurity 
house.pdf (noting the Commission’s support for data security and breach notification standards); 
Prepared Statement of the Federal Trade Commission, Protecting Social Security Numbers From 
Identity Theft, Before the Subcomm. on Social Security of the H. Comm, on Ways and Means, 
112th Cong., April 13, 2011, available at http: II ftc.gov I os /testimony 1 110411ssn-idtheft.pdf 
(same); FTC, Security in Numbers, SSNs and ID Theft (Dec. 2008), available at www.ftc.gov ! 
os 1 2008 1 12 1 P075414ssnreport.pdf President’s Identity Theft Task Force, Identity Theft Task 
Force Report (Sept. 2008), available at http: II www.idtheft.gov ! reports ! IDTReport2008.pdf . 
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counts on future purchases. Upon returning home, the consumer logs onto her com- 
puter and begins browsing the web and updating her social networking page. Later, 
her child logs on to play an online interactive game. 

All of these activities clearly benefit the consumer — she gets paid, enjoys free and 
immediate access to information, locates places of interest, obtains discounts on pur- 
chases, stays connected with friends, and can entertain herself and her family. Her 
life is made easier in a myriad of ways because of information flows. 

There are other implications, however, that may be less obvious. Her grocery store 
purchase history, web activities, and even her location information, may be collected 
and then sold to data brokers and other companies she does not know exist. These 
companies could use her information to market other products and services to her 
or to make decisions about her eligibility for credit, employment, or insurance. And 
the companies with whom she and her family interact may not maintain reasonable 
safeguards to protect the data they have collected. 

Some consumers have no idea that this type of information collection and sharing 
is taking place. Others may be troubled by the collection and sharing described 
above. Still others may be aware of this collection and use of their personal informa- 
tion but view it as a worthwhile trade-off for innovative products and services, con- 
venience, and personalization. And some consumers — some teens for example — may 
be aware of the sharing that takes place, but may not appreciate the risks it poses. 
Because of these differences in consumer understanding, and attitudes, as well as 
the rapid pace of change in technology, policymaking on privacy issues presents sig- 
nificant challenges and opportunities. 

As the hypothetical described above shows, consumer privacy issues touch many 
aspects of our lives in both the brick-and-mortar and electronic worlds. In the offline 
world, data brokers have long gathered information about our retail purchases, and 
consumer reporting agencies have long made decisions about our eligibility for cred- 
it, employment, and insurance based on our past transactions. But new online busi- 
ness models such as online behavioral advertising, social networking, interactive 
gaming, and location-based services have complicated the privacy picture. In addi- 
tion, the aggregation of data in both the online and offline worlds have in some in- 
stances led to increased opportunities for fraud. For instance, entities have used 
past transaction history gathered from both the online and offline world to sell 
“sucker lists” of consumers who may be susceptible to different types of fraud. In 
both the online and offline worlds, data security continues to be an issue. The FTC 
continues to tackle each of these issues through enforcement, education, and policy 
initiatives. 

III. Enforcement 

In the last 15 years, the Commission has brought 34 data security cases; 64 cases 
against companies for improperly calling consumers on the Do Not Call registry;® 
86 cases against companies for violating the Fair Credit Reporting Act (“FCRA”);® 
97 spam cases; 15 spyware (or nuisance adware) cases; and 16 cases against compa- 
nies for violating COPPA. Where the FTC has authority to seek civil penalties, it 
has aggressively done so. It has obtained $60 million in civil penalties in Do Not 
Call cases; $21 million in civil penalties under the FCRA; $5.7 million under the 
CAN-SPAM Act; and $6.2 million under COPPA. Where the Commission does not 
have authority to seek civil penalties, as in the data security and spyware areas, 
it has sought such authority from Congress. In addition, the Commission has 
brought numerous cases against companies for violating the FTC Act by making de- 
ceptive claims about the privacy protection they afford to the information they col- 
lect. And these numbers do not fully reflect the scope of the Commission’s vigorous 
enforcement agenda, as not all investigations result in enforcement actions. When 
an enforcement action is not warranted, staff closes the investigation, and in some 
cases it issues a closing letter.”® This testimony highlights the Commission’s recent, 
publicly-announced enforcement efforts to address the types of privacy issues raised 
by the hypothetical scenario described above. 

First, the Commission enforces the FTC Act and several other laws that require 
companies to maintain reasonable safeguards for the consumer data they maintain.® 


® 16 C.F.R. Part 310. 

6 15 U.S.C. §§1681e-i. 
n5 U.S.C. §§7701-7713. 

6See http-J ! www.ftc.gov ! os ! closings ! staffclosing. shtm. 

6 See the Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act, 16 C.F.R. Part 
314, implementing 15 U.S.C. § 6801(b), and provisions of the FCRA, 15 U.S.C. §§ 1681e, 1681w, 
implemented at 16 C.F.R. Part 682. 
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Most recently, the Commission resolved allegations that Ceridian Corporation 1 ° and 
Lookout Services, Inc.^^ violated the FTC Act hy failing to implement reasonable 
safeguards to protect the sensitive consumer information they maintained. The com- 
panies offered, respectively, payroll processing and immigration compliance services 
for small business employers. As a result, they both obtained, processed, and stored 
highly-sensitive information — including Social Security numbers — of employees. The 
Commission alleged that both companies failed to appropriately safeguard this in- 
formation, which resulted in intruders being able to access it. The orders require 
the companies to implement a comprehensive data security program and obtain 
independent audits for 20 years. 

Second, the Commission enforces the FCRA, which, among other things, pre- 
scribes that companies only sell sensitive consumer report information for “permis- 
sible purposes,” and not for general marketing purposes. Just this week, the Com- 
mission announced an FCRA enforcement action against Teletrack for violating this 
provision. Teletrack provides consumer reporting services to payday lenders, rental 
purchase stores, and certain auto lenders, so that they can determine consumers’ 
eligibility to receive credit. The Commission alleged that Teletrack created a mar- 
keting database of consumers, and sold lists of consumers who had applied for pay- 
day loans to entities that did not have a permissible purpose. The Commission as- 
serted that Teletrack’s sale of these lists violated the FCRA because the lists were 
in fact consumer reports, which cannot be sold for marketing purposes. The Com- 
mission’s agreement with Teletrack requires it to pay $1.8 million in civil penalties 
for FCRA violations. 

Third, the Commission has been active in ensuring that companies engaged in so- 
cial networking adhere to any promises to keep consumers’ information private. 
The Commission’s recent case against Google alleges that the company deceived con- 
sumers by using information collected from Gmail users to generate and populate 
its new social network, Google Buzz.^'^ The Commission charged that Google made 
public its Gmail users’ associations with their frequent e-mail contacts without the 
users’ consent and in contravention of Google’s privacy policy. As part of the Com- 
mission’s proposed settlement order, Google must implement a comprehensive pri- 
vacy program and conduct independent audits every other year for the next 20 
years. Further, Google must obtain affirmative express consent for product or 
service enhancements that involve new sharing of previously collected data. 

Fourth, the Commission has sought to protect consumers from deceptive practices 
in the behavioral advertising area. In June, the Commission finalized a settlement 
with Chitika, Inc., an online network advertiser that acts as an intermediary be- 
tween website publishers and advertisers. The Commission’s complaint alleged 
that Chitika violated the FTC Act by offering consumers the ability to opt out of 
the collection of information to be used for targeted advertising — without telling 
them that the opt-out lasted only 10 days. The Commission’s order prohibits Chitika 
from making future privacy misrepresentations. It also requires Chitika to provide 
consumers with an effective opt-out mechanism, link to this opt-out mechanism in 
its advertisements, and provide a notice on its website for consumers who may have 
opted out when Chitika’s opt-out mechanism was ineffective. Finally, the order re- 
quires Chitika to destroy any data that can be associated with a consumer that it 
collected during the time its opt-out mechanism was ineffective. 

Fifth, the Commission has tried to ensure that data brokers respect consumers’ 
choices. In March, the Commission announced a final order against U.S. Search, a 
data broker that maintained an online service, which allowed consumers to search 


^^Ceridian Corp., FTC Docket No. C^325 (June 8, 2011) (consent order), available at 
www.ftc.gov ! opa ! 2011 / 05 / ceridianlookout.shtm. 

^^Lookout Servs., Inc., FTC Docket No. C^326 (June 15, 2011) (consent order), available at 
www.ftc.gov ! opa ! 2011 105 ! ceridianlookout.shtm. 

U.S. V. Teletrack, Inc., No. l:ll-CV-2060 (N.D. Ga. filed June 24, 2011) (proposed con- 
sent order), available at http:! j www.ftc.gov j opa j 2011 j 06 j teletrack. shtm. 

^^See, e.g., Twitter, Inc., FTC Docket No. (j-4316 (Mar. 2, 2011) (consent order), available at 
http:! I www.ftc.gov I opa/ 2010 1061 twitter.shtm (resolving allegations that social networking 
service Twitter deceived its customers by failing to honor their choices after offering the oppor- 
tunity to designate certain “tweets” as private). 

^‘^Google, Inc., FTC File No. 102 3136 (Mar. 30, 2011) (consent order accepted for public com- 
ment), available at www.ftc.gov/opal2011l03lgoogle.shtm. Commissioner Rosch issued a con- 
curring statement expressing concerns about the terms of the proposed consent agreement, 
available at http:/ / www.ftc.gov / os ! caselist / 1023136 / 110330googlebuzzstatement.pdf . 

i^This provision would apply to any data collected by Google about users of any Google prod- 
uct or service, including mobile and location-based data. 

^^Chitika, Inc., FTC Docket No. C^324 (June 7, 2011) (consent order), available at http:/ / 
www.ftc.gov ! opa / 201 1/03/ chitika.shtm. 
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for information about others. The company allowed consumers to opt out of having 
their information appear in search results, for a fee of $10. The Commission charged 
that although 4,000 consumers paid the fee and opted out, their personal informa- 
tion still appeared in search results. The Commission’s settlement requires U.S. 
Search to disclose limitations on its opt-out offer, and to provide refunds to con- 
sumers who had previously opted out. 

Finally, to protect children’s privacy, the Commission enforces the Children’s On- 
line Privacy Protection Act (“COPPA”). In its most recent case, against Playdom, 
Inc. and one of its senior executives, the Commission obtained an agreement with 
the operators of 20 online virtual worlds to pay $3 million to settle charges that they 
violated COPPA by illegally collecting and disclosing personal information from hun- 
dreds of thousands of children under age 13 without their parents’ consent, The 
defendants allegedly collected children’s ages and e-mail addresses during registra- 
tion and then enabled them to publicly post their full names, e-mail addresses, in- 
stant messenger IDs, and location on personal profile pages and in online commu- 
nity forums. The FTC charged that the defendants’ failure to provide proper notice 
or obtain parents’ prior verifiable consent before collecting or disclosing children’s 
personal information violated COPPA. It further charged that the defendants vio- 
lated the FTC Act because their privacy policy misrepresented that the company 
would prohibit children under 13 from posting personal information online. In addi- 
tion to the $3 million civil penalty — the largest ever for a COPPA violation — the pro- 
posed settlement permanently bars the defendants from violating COPPA and from 
misrepresenting their information practices regarding children. 

rV. Education 

The FTC conducts outreach to businesses and consumers in the area of consumer 
privacy. The Commission’s well-known OnGuard Online website educates consumers 
about many online threats to consumer privacy and security, including spam, 
spyware, phishing, peerto-peer (“P2P”) file sharing, and social networking.i^ The 
Commission has also issued numerous education materials to help consumers pro- 
tect themselves from identity theft and to deal with its consequences when it does 
occur. The FTC has distributed over 3.8 million copies of a victim recovery guide — 
Take Charge: Fighting Back Against Identity Theft — and has recorded over 3.5 mil- 
lion visits to the Web version. In addition, the FTC has developed education re- 
sources specifically for children, parents, and teachers to help children stay safe on- 
line. In response to the Broadband Data Improvement Act of 2008, the FTC pro- 
duced the brochure Net Cetera: Chatting with Kids About Being Online to give 
adults practical tips to help children navigate the online world.^° In less than 1 
year, the Commission distributed more than 7 million copies of Net Cetera to 
schools and communities nationwide. 

Business education is also an important priority for the FTC. The Commission de- 
veloped a widely-distributed guide to help small and medium-sized businesses im- 
plement appropriate data security for the personal information they collect and 
maintain.21 

Another way in which the Commission seeks to educate businesses is by publi- 
cizing its complaints and orders and issuing public closing letters. For example, the 
Commission recently sent a letter closing an investigation of Social Intelligence Cor- 
poration, a company that sold reports to employers about potential job applicants.^^ 
The reports included public information gathered from social networking sites. The 
investigation sought to determine Social Intelligence’s compliance with the FCRA.^^ 
Although the staff decided to close the particular investigation, the public closing 
letter served to notify similarly situated businesses that, to the extent they collect 
information from social networking sites for employment determinations, they must 
comply with the FCRA. The letter included guidance on the obligations of such busi- 


Search, Inc., FTC Docket No. C-4317 (Mar. 14, 2011) (consent order), available at 
http:! / www.ftc.gov / opa / 2010 1 09 1 ussearch.shtm. 

^^See U.S. V. Playdom, Inc., No. SACVll-00724 (C.D. Cal. filed May 11, 2011) (proposed con- 
sent order), available at http:! ! www.ftc.gov j opa ! 2011 j 05 ! playdom. shtm. 

^^See www.onguardonline.gov . Since its launch in 2005, OnGuard Online and its Spanish-lan- 
guage counterpart Alertaena L(I)nea have attracted nearly 12 million unique visits. 

‘^^See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start with Online Child Safety 
Campaign (Mar. 31, 2010), available at www.ftc.gov I opa / 2010 j 03 1 netcetera.shtm. 

Protecting Personal Information: A Guide For Business, available at www.ftc.gov ! 
infosecurity . 

22 Letter from Maneesha Mithal, Associate Director, Division of Privacy and Identity Protec- 
tion to Renee Jackson, Counsel to Social Intelligence Corporation (May 9, 2011), available at 
www.ftc.gov ios! closings 111 0509socialintelligenceletter.pdf. 

23 FTC staff did not express an opinion on the merits of Social Intelligence’s business model. 
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nesses under the FCRA. For example, companies must take reasonable steps to en- 
sure the maximum possible accuracy of the information reported from social net- 
working sites. They must also provide employers who use their reports with infor- 
mation about the employers’ obligation to notify job applicants if they were denied 
employment on the basis of these reports, and to provide such applicants with infor- 
mation about their rights under the FCRA. 

V. Policy Initiatives 

The Commission’s privacy program also includes public workshops, reports, and 
policy reviews to examine the implications of new technologies and business prac- 
tices on consumer privacy. For example, in December 2009, February 2010, and 
March 2010, the FTC convened three public roundtables to explore consumer pri- 
vacy issues, including the issues facing the hypothetical consumer discussed in Sec- 
tion II above.^’^ 

Based on these roundtable discussions, staff issued a preliminary report in De- 
cember 2010,^® which proposed and solicited comment on a new framework to guide 
policymakers and industry as they consider further steps to improve consumer pri- 
vacy protection. The proposed framework included three main concepts. 

First, staff recommended that companies should adopt a “privacy by design” ap- 
proach by building privacy protections into their everyday business practices, such 
as collecting or retaining only the data they need to provide a requested service or 
transaction, and implementing reasonable security for such data. Thus, for example, 
if a mobile application (“app”) is providing traffic and weather information to a con- 
sumer, it does need to collect call logs or contact lists from the consumer’s device. 
Similarly, if an app does need sensitive information, such as location, in order to 
provide a requested service, the app developer should carefully consider how long 
the information should be retained to provide such service and how the information 
should best be protected. 

Second, staff proposed that companies provide simpler and more streamlined 
choices to consumers about their data practices. One example of how choice may be 
simplified for consumers is through a universal, one-stop choice mechanism for on- 
line behavioral tracking, often referred to as “Do Not Track.” The Staff Report rec- 
ommended implementation of such a system.^® Following the release of the Staff Re- 
port, the Commission has testified that any Do Not Track system should include 
certain attributes.^'^ First, any Do Not Track system should be implemented univer- 
sally, so that consumers do not have to repeatedly opt out of tracking on different 
sites. Second, the choice mechanism should be easy to find, easy to understand, and 
easy to use. Third, any choices offered should be persistent and should not be de- 
leted if, for example, consumers clear their cookies or update their browsers. Fourth, 
a Do Not Track system should be comprehensive, effective, and enforceable. It 
should opt consumers out of behavioral tracking through any means and not permit 
technical loopholes. Finally, an effective Do Not Track system would go beyond sim- 
ply opting consumers out of receiving targeted advertisements; it would opt them 


^‘^See generally FTC Exploring Privacy web page, at www.ftc.gov I bcp t workshops ! 
privacyroundtables. 

See A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid 
Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010), available at 
www.ftc.gov I os 1 2010/ 12/ 101201privacyreport.pdf. Commissioners Kovacic and Rosch issued 
concurring statements available at www.ftc.gov / os / 2010 / 12 / 101201privacyreport.pdf at Appen- 
dix D and Appendix E, respectively. 

Commissioner Kovacic believes that the endorsement of a Do Not Track mechanism by staff 
(in the report) and the Commission (in this testimony) is premature. His concerns about the 
Commission Staff Report are set forth in his statement on the report. See FTC Staff Report, 
supra note 22, at App. D. Commissioner Rosch supported a Do Not Track mechanism only if 
it were “technically feasible” and implemented in a fashion that provides informed consumer 
choice regarding all the attributes of such a mechanism. Id. At App. E. Commissioner Rosch 
continues to believe that a variety of issues need to be addressed prior to the endorsement of 
any particular Do Not Track mechanism. See Statement of Commissioner J. Thomas Rosch, Dis- 
senting in Part, Privacy and Data Security: Protecting Consumers in the Modern World, Hearing 
Before the S. Comm, on Commerce, Science, and Transportation, 112th Cong. (June 29, 2011). 

See, e.g., Prepared Statement of the Federal Trade Commission, The State of Online Con- 
sumer Privacy, Hearing Before the S. Comm, on Commerce, Science and Transportation, 112th 
Cong. (Mar. 16, 2011), available at http://www.ftc.gov/os/testimony/110316consumerprivacy 
senate.pdf; Prepared Statement of the Federal Trade Commission, Do Not Track, Hearing Before 
the Subcomm. on Commerce, Trade and Consumer Protection of the H. Comm, on Energy and 
Commerce, 111th Cong. (Dec. 2, 2010), available at www.ftc.gov /os/ testimony / 101202 
donottrack.pdf (hereinafter “Do Not Track Testimony”). 
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out of collection of behavioral data for all purposes other than product and service 
fulfillment and other commonly accepted practices.^® 

Of course, any Do Not Track system should not undermine the benefits that on- 
line behavioral advertising has to offer, hy funding online content and services and 
providing personalized advertisements that many consumers value. For this reason, 
any Do Not Track mechanism should he flexible. For example, it should allow com- 
panies to explain the benefits of tracking and to take the opportunity to convince 
consumers not to opt out of tracking. Further, a Do Not Track system could include 
an option that enables consumers to control the types of advertising they want to 
receive and the types of data they are willing to have collected about them, in addi- 
tion to providing the option to opt-out completely.^® 

Industry appears to be receptive to the demand for simple choices. Recently, three 
of the major browsers offered by Mozilla, Microsoft, and Apple, announced the devel- 
opment of new choice mechanisms for online behavioral advertising that seek to pro- 
vide increased transparency, greater consumer control and improved ease of use. 
More recently, Mozilla introduced a version of its browser that enables Do Not 
Track for mobile web browsing. In addition, an industry coalition of media and mar- 
keting associations, the Digital Advertising Alliance, has continued to make 
progress on implementation of its improved disclosure and consumer choice mecha- 
nism offered through a behavioral advertising icon. 

Third, the Staff Report proposed a number of measures that companies should 
take to make their data practices more transparent to consumers. For instance, in 
addition to providing the contextual disclosures described above, companies should 
improve their privacy notices so that consumers, advocacy groups, regulators, and 
others can compare data practices and choices across companies, thus promoting 
competition among companies. The staff also proposed providing consumers with 
reasonable access to the data that companies maintain about them, particularly for 
non-consumer-facing entities such as data brokers. Because of the significant costs 
associated with access, the Staff Report noted that the extent of access should be 
proportional to both the sensitivity of the data and its intended use. Staff is evalu- 
ating the 450 comments received and expects to issue a final report later this year. 

In addition to issuing reports, the Commission also reviews its rules periodically 
to ensure that they keep pace with changes in the marketplace. The Commission 
is currently reviewing its rule implementing COPPA and anticipates that any pro- 
posed changes will be announced in the coming months.®® 

Finally, the Commission hosts workshops to study and publicize more specific 
issues. One such issue that has been in the news recently is identity theft targeting 
children.®! For a variety of reasons — including poor safeguards for protecting chil- 
dren’s data — identity thieves can get access to children’s Social Security numbers. 
These criminals may deliberately use a child’s Social Security number, or fabricate 
a Social Security number that coincidentally has been assigned to a child, in order 
to obtain employment, apply for government benefits, open new accounts, or apply 
for car loans or even mortgages. Child identity theft is especially pernicious because 
the theft may not be detected until the child becomes an adult and seeks employ- 
ment, or applies for student and car loans. 

To address the challenges raised by child identity theft. Commission staff, along 
with the Department of Justice’s Office of Victims of Crime, will host a forum on 
July 12, 2011.®® Participants will include educators, child advocates, and represent- 
atives of various governmental agencies and the private sector. The forum will in- 
clude a discussion on how to improve the security of children’s data in various con- 
texts — including within the education system as well as the foster care system — 
where children may be particularly susceptible to identity theft. The goal of the 


®®As noted in prior Commission testimony, such a mechanism should he different from the 
Do Not Call program in that it should not require the creation of a “Registry” of unique identi- 
fiers, which could itself cause privacy concerns. See Do Not Track Testimony, supra note 27. 

®®For example, use of a Do Not Track browser header would enable consumer customization. 
The browser could send the header to some sites and not others. Moreover, a particular site 
could ignore the header to the extent the user has consented to tracking on that site. 

®®See generally COPPA Rulemaking and Rule Reviews web page, available at busi- 
ness.ftc.gov ! documents / coppa-rulemaking-and-rule-reviews. 

®!See, e.g., Richard Power, Carnegie Mellon Cylab, Child Identity Theft, New Evidence Indi- 
cates Identity Thieves are Targeting Children for Unused Social Security Numbers (2011), avail- 
able at www.cyblog.cylab.cmu.edu/2011 103 /child-identity-theft.html; Children’s Advocacy Insti- 
tute, The Fleecing of Foster Children: How We Confiscate Their Assets and Undermine Their Fi- 
nancial Security (2011), available at http://www.caichildlaw.org/Misc/Fleecing_Report 

Final HR. pdf. 

Press Release, FTC, Department of Justice to Host Forum on Child Identity Theft (June 
2, 2011), available at www.ftc.gov / opa/ 2011 / 06/ childtheft.shtm. 
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forum is to develop ways to effectively advise parents on how to avoid child identity 
theft, how to protect children’s personal data, and how to help parents and young 
adults who have been victims of child identity theft recover from the crime. 

VI. Conclusion 

The Commission is committed to protecting consumers’ privacy and security — both 
online and offline. We look forward to continuing to work with Congress on these 
critical issues. 


Attachment 

Prepaked Statement of Commissioner J. Thomas Rosch, Dissenting in Part 
Privacy and Data Security: Protecting Consumers in the Modern World 

The root problem with the concept of “Do Not Track” is that we, and with respect, 
the Congress, do not know enough about most tracking to determine how to achieve 
the five attributes identified in today’s Commission testimony, or even whether 
those attributes can be achieved. Considered in a vacuum, the proposed Do Not 
Track attributes set forth in today’s testimony can be considered innocuous, indeed 
even beneficial. However, the concept of Do Not Track cannot be considered in a 
vacuum. The promulgation of five attributes, standing alone, untethered to actual 
business practices and consumer preferences, and not evaluated in light of their im- 
pact upon innovation or the Internet economy, is irresponsible. I therefore respect- 
fully dissent to the portions of the testimony that discuss and describe certain con- 
clusions about the concept of Do Not Track.^ 

It is easy to attack practices that threaten data security. There is a consensus in 
both the United States and Europe that those practices are pernicious, and the 
Commission has successfully challenged them.^ It is also easy to attack practices 
that compromise certain personally identifiable information (“PH”) like one’s social 
security number, confidential financial or health data, or other sensitive informa- 
tion, such as that respecting children. The consensus about those practices in the 
United States is reflected in federal statutes like the Health Insurance Portability 
and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), and the 
Children’s Online Privacy Protection Act (“COPPA”), and the Commission has like- 
wise successfully challenged practices that violate those statutes.’^ On the other 
hand, some of the “tracking” that occurs routinely is benign, such as tracking to en- 
sure against advertisement repetition and other tracking activities that are essen- 
tial to ensuring the smooth operation of websites and Internet browsing. But we do 
not know enough about other kinds of “tracking” — or what consumers think about 


^As described in today’s and prior testimony, the five attributes are: 

First, any Do Not Track system should be implemented universally, so that consumers do not 
have to repeatedly opt out of tracking on different sites. Second, the choice mechanism should 
be easy to find, easy to understand, and easy to use. Third, any choices offered should be per- 
sistent and should not be deleted if, for example, consumers clear their cookies or update their 
browsers. Fourth, a Do Not Track system should be comprehensive, effective, and enforceable. 
It should opt consumers out of behavioral tracking through any means and not permit technical 
loopholes. Finally, an effective Do Not Track system would go beyond simply opting consumers 
out of receiving targeted advertisements; it would opt them out of collection of behavioral data 
for all purposes other than product and service fulfillment and other commonly accepted prac- 
tices. 

2 The concept of Do Not Track was presented in the preliminary Staff Privacy Report, issued 
in December 2010. See http://www.fte.gOv/osl2010/12/101201privacyreport.pdf. At that time, 
the Commission requested public comment on the issues raised in that preliminary report. 

^See, e.g., Lookout Servs., Inc., FTC File No. 1023076 (June 15, 2011) (consent order) (allejpng 
failure to reasonably and appropriately secure employees’ and customers’ personal information, 
collected and maintained in an online data base); CVS Caremark Corp., FTC File No. 0723119 
(June 18, 2009) (consent order) (alleging failure to implement reasonable policies and procedures 
for secure disposal of personal information); BJ's Wholesale Club, Inc., FTC Docket No. C^148 
(Sept. 20, 2005) (consent order) (alleging failure to take reasonable and appropriate security 
measures to protect sensitive consumer financial information with respect to credit and debit 
card purchases); Eli Lilly and Co., FTC File No. 0123214 (May 8, 2002) (consent order) (alleging 
failure to provide appropriate training for employees regarding consumer privacy and informa- 
tion security). 

‘^Rite Aid Corp., FTC File No. 0723121 (Nov. 12, 2010) (consent order) (in conjunction with 
HHS; alleging failure to establish policies and procedures for the secure disposal of consumers’ 
sensitive health information) (HIPAA); SettlementOne Credit Corp., FTC File No. 0823208 (Feb. 
9, 2011) (proposed consent agreement) (alleging that credit report reseller failed to implement 
reasonable safeguards to control risks to sensitive consumer information) (GLBA); United States 
V. Playdom, Inc., Case No. SACV ll-0724-AG(ANx) (C.D. Cal. May 24, 2011) (consent order) 
(alleging failure to provide notice and obtain consent from parents before collecting, using, and 
disclosing children’s personal information) (COPPA). 
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it — to reach any conclusions about whether most consumers consider it good, bad 
or are indifferent. 

More specifically, it is premature to endorse any particular browser’s Do Not 
Track mechanism. One type of browser mechanism proposed to implement Do Not 
Track involves the use of “white lists” and “black lists” to allow consumers to pick 
and choose which advertising networks they will allow to track them.® These lists 
are furnished by interested third parties in order to prevent the types of tracking 
that consumers supposedly do not want.® It is clear from these “lists” what the in- 
terested third parties think about the tracking on the lists (or not on the lists). How- 
ever, it is not clear whether most consumers share those views, or even understand 
the basis upon which the “list” was created. Another proposed browser Do Not Track 
mechanism operates by sending a Do Not Track header as consumers surf the Inter- 
net. This mechanism would only eliminate tracking to the extent that the entities 
receiving the Do Not Track header understand and respect that choice. Theoretically 
at least, this mechanism could block all tracking if it does not offer customization 
and preserve the ability to customize.'^ This is important because there may be some 
tracking that consumers find beneficial and wish to retain. 

Beyond that, consumers (including consumers that are surveyed by interested 
third parties) are generally not fully informed about the consequences — both bad 
and good — of subscribing to a Do Not Track mechanism.® They are not always told, 
for example, that they may lose content (including advertising) that is most perti- 
nent and relevant to them. Neither are they told that they may lose free content 
(that is paid for by advertising). Nor are they told that subscribing to a Do Not 
Track mechanism may result in more obtrusive advertising or in the loss of the 
chance to “sell” the history of their Internet activity to interested third parties. In- 
deed, they are not even generally told what kinds of tracking are going to be elimi- 
nated. On the other hand, consumers are not told that tracking may facilitate the 
compilation of a consumer “profile” through the aggregation of information by third 
parties to whom it is sold or with whom it is shared (such as insurance companies 
engaged in “rating” consumers). One reason that consumers are not told about the 
latter consequence is that we do not know enough about what information is being 
collected and sold to third parties to know the extent to which such aggregation is 
occurring. 

One thing is certain though: consumers cannot expect simply to “register” for a 
Do Not Track mechanism as they now register for “Do Not Call.”® That is because 
a consumer registering for Do Not Call needs to furnish only his or her phone num- 
ber. In the context of the Do Not Call program, each telephone already has a unique 
identifier in the form of a telephone number. In contrast, there is no such persistent 
identifier for computers. For example, Internet Protocol (“IP”) addresses can and do 
change frequently. In this context, creating a persistent identifier, and then submit- 
ting it to a centralized data base, would raise significant privacy issues. i® Thus, in- 
formation respecting the particular computer involved is essential, and that kind of 
information cannot be furnished without compromising the very confidential infor- 
mation that consumers supposedly do not want to share. In addition, multiple users 
of the same computer or device may have different preferences, and tying a broad 
Do Not Track mechanism to a particular computer or device does not take that into 
consideration. 

This is not to say that a Do Not Track mechanism is not feasible. It is to say 
that we must gather competent and reliable evidence about what kind of tracking 
is occurring before we embrace any particular mechanism. We must also gather reli- 
able evidence about the practices most consumers are concerned about. Nor is it to 


®Many, if not all, browsers currently allow consumers to customize their browser to prevent 
the installation of, or delete already installed, cookies that are used for tracking. 

®Some Tracking Protection Lists (TPLs) allow any criterion to he used to decide which sites 
go on a TPL and which do not. In some cases, consumers may have the option to create their 
own TPL. However, as discussed helow, neither the FTC, nor consumer advocates, nor con- 
sumers themselves, know enough about the tracking, collection, retention and sharing practices 
of online entities. 

"^In addition, it is not clear how the “recipient” of the Do Not Track header would respond 
to such a request when the consumer has otherwise indicated that he or she wishes to have 
the recipient customize the consumer’s experience. 

®That is not to say that current technology cannot facilitate these disclosures. However, it is 
critical that advertisers and publishers take the opportunity to explain to consumers what their 
practices are and why they might he beneficial. 

®See Prepared Statement of the Federal Trade Commission on Do Not Track Before the House 
Committee on Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Pro- 
tection, Dec. 2, 2010, available at http:! / www.ftc.gov / os / testimony / 101202donottrack.pdf . 

A new identifier would be yet another piece of PII that companies could use to gather data 
about individual consumers. 
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say that it is impossible to gather that evidence. The Commission currently knows 
the identities of several hundred ad networks representing more than 90 percent 
of those entities engaged in the gathering and sharing of tracking information. It 
is possible to serve those networks with compulsory process, which means that the 
questions about their information practices (collection, tracking, retention and shar- 
ing) must be answered under oath. That would enable the Commission to determine 
and report the kinds of information practices that are most frequently occurring. 
Consumers could then access more complete and reliable information about the con- 
sequences of information collection, tracking, retention and sharing. Additionally, 
the Commission could either furnish, or, depending on technical changes that may 
occur, facilitate the furnishing of, more complete and accurate “lists” and consumers 
would then have the ability to make informed choices about the collection, tracking, 
retention and sharing practices they would or would not permit. 

This course is not perfect. For one thing, it would take time to gather this infor- 
mation. For another thing, it would involve some expense and burden for responding 
parties (though no more than that to which food and alcohol advertisers who cur- 
rently must answer such questionnaires are exposed). Consumers would also be 
obliged to avail themselves of the information provided by the Commission. But I 
respectfully submit that this course is superior to acting blindly, which is what I 
fear we are doing now. 

The Chairman. Thank you, Ms. Brill. 

Welcome, Mr. Kerry. 

STATEMENT OF HON. CAMERON F. KERRY, GENERAL 
COUNSEL, U.S. DEPARTMENT OF COMMERCE 

Mr. Kerry. Thank you. Thank you. Chairman Rockefeller, Sen- 
ator Thune, and members of the Committee. I welcome the oppor- 
tunity to be here today and to discuss with you the issue of how 
we can best protect consumer data privacy in a digital age. This 
is an issue that affects everyone. 

At this committee’s hearing on March 16, the Obama Adminis- 
tration urged legislation to establish basic commercial data privacy 
protection for all U.S. consumers. What we recommended then had 
three elements. 

The first is baseline privacy protection in the form of a consumer 
privacy bill of rights adapted from widely accepted fair information 
practice principles. The second is for government to convene multi- 
stakeholder processes to encourage the private sector to develop le- 
gally enforceable, context specific codes of conduct that implement 
the bill of rights in specific context. 

And the third is to bolster the Federal Trade Commission’s lead- 
ership in this field by granting it explicit authority to enforce the 
privacy bill of rights and to grant safe harbors for revolving codes 
of conduct. 

We are encouraged that members of this committee and others 
in Congress have introduced several bills to address significant 
data privacy issues. The Administration looks forward to working 
closely with members of this committee and Congress to pass legis- 
lation that will protect consumer interests and provide businesses 
and consumers with a clear and consistent set of rules of the road 
both within the United States and internationally. 

Our conclusion that the time has come for comprehensive data 
privacy protection is a product of the work of the Department of 
Commerce Internet Policy Task Force and the National Science and 
Technology Council subcommittee that I co-chair. It reflects two te- 
nets. 
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The first is very simply that to harness the full power of the 
Internet, we need clear rules that allow for innovation and eco- 
nomic growth while protecting trust and respecting consumers’ le- 
gitimate privacy expectations. Consumer groups, industry, and 
leading privacy scholars agree that a large percentage of Americans 
do not know what information is being collected about them or how 
they can control collection and use. 

Second, as we establish guidelines, we need to avoid a regulatory 
environment that restricts the innovation and the free flow of infor- 
mation that have been hallmarks of the Internet and drivers of eco- 
nomic growth and an expansion of information that stretches the 
boundaries of human knowledge and creates social and political 
change. Legislation shouldn’t add duplicative or overly burdensome 
regulatory requirements to businesses that already adhere to 
strong privacy principles or that are subject to existing sectoral re- 
gimes. Legislation should be technology neutral so that, consistent 
with baseline principles, firms have flexibility to adapt technology 
to comply and to adopt business models that use data in ways not 
contemplated today. 

Our work continues as the Administration finishes a white paper 
on commercial privacy. At the Department of Commerce, we will 
engage with stakeholders on the development of codes of conduct. 
We will work on data security and work with other agencies to en- 
sure global interoperability. 

This is an area where Congressional action can have significant 
impact. Two weeks ago, I was in Budapest to speak with European 
data privacy commissioners. And I can report to you that com- 
prehensive legislation will send a strong message of U.S. leader- 
ship that could form a model for our partners, help prevent frag- 
mentation of the world’s privacy laws, and undo restrictions on 
businesses that conduct international trade. 

So, Mr. Chairman, we look forward to working with you, the 
Committee, stakeholders, the FTC, and with other federal agencies 
toward enactment of legislation in the field. I ask that my written 
comments be included in the record and welcome any questions. 

Thank you again for this opportunity. 

[The prepared statement of Mr. Kerry follows:] 

Prepared Statement of Hon. Cameron F. Kerry, General Counsel, 

U.S. Department of Commerce 

I. Introduction 

Chairman Rockefeller, Ranking Member Hutchison, and distinguished Committee 
members, thank you for the opportunity to testify about the important issue of on- 
line privacy on behalf of the Department of Commerce (“Department” or “Com- 
merce”). I welcome the opportunity to discuss how we can best protect consumer 
data privacy in the Digital Age. And I am pleased to testify here today with Com- 
missioner Julie Brill of the Federal Trade Commission (FTC) and a fellow General 
Counsel, Austin Schlick of the Federal Communications Commission (FCC). 

At this committee’s March 16, 2011, hearing on “The State of Online Data Pri- 
vacy,” the Administration announced its support for legislation that would create 
baseline consumer data privacy protections through a “consumer privacy bill of 
rights.” 1 We urged Congress to consider legislation that would establish these rights 


1 Statement of Lawrence E. Strickling, Assistant Secretary for Communications and Informa- 
tion, before the Committee on Commerce, Science, and Transportation, U.S. Senate, Mar. 16, 

2011, http:! / www.ntia.doc.gov i presentations i 201 1 / Strickling Senate Privacy Testimony 

03162011.html. 
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and obligations; to encourage the private sector to develop legally-enforceable, in- 
dustry-specific codes of conduct that can address emerging privacy issues while pro- 
viding companies some assurance that they are in compliance with the law; and to 
grant the FTC the proper authority to enforce the law. 

We are encouraged that members of this committee and others have introduced 
several bills that reflect a bipartisan effort to address significant consumer data pri- 
vacy issues affecting our society and our economy. 

Since this committee’s hearing in March, we have been hard at work fleshing out 
Administration views on the issues we highlighted then. These views will inform an 
Obama Administration “White Paper” on consumer data privacy, which we are in 
the midst of drafting. I am here today to say we look forward to working with this 
Committee and other Members of Congress to pass legislation that will protect con- 
sumers’ interests and provide businesses clear and consistent rules of the road. 

As we stated in March, the Administration supports legislation that, first, creates 
a set of basic privacy protections in the commercial context for all American con- 
sumers. Second, the Administration supports creating incentives for the private sec- 
tor to develop legally-enforceable rules that specify how to implement this bill of 
rights in specific business contexts. Third, because enforcement is critical to ensur- 
ing that any consumer privacy bill of rights is effective, the Administration supports 
granting the FTC clear authority to enforce the privacy obligations established by 
legislation.^ 

I will outline briefly how we arrived at these premises, and then elaborate on each 
one. 

II. The Need to Strengthen Our Consumer Data Privaey Framework 

Strengthening consumer data privacy protections is integral to the Department’s 
Internet policy agenda. Consumer data privacy is one of the core issues under as- 
sessment by the Department’s Internet Policy Task Force, which Secretary Gary 
Locke convened to examine how well U.S. policies on privacy, cybersecurity, copy- 
right protection, and the free flow of information serve consumers, businesses, and 
other participants in the Internet economy.^ 

The Internet economy has sparked tremendous innovation, and the Internet is an 
essential platform for economic growth, domestically and globally. Digital technology 
linked by the Internet has enabled large-scale collection, analysis, and storage of 
personal information. These tools enable new service options and capabilities but 
they also create risks to individual privacy. 

Privacy is a key ingredient for sustaining consumer trust, which in turn is critical 
to realize the full potential for innovation and the growth of the Internet. The tech- 
nical and organizational complexity of this environment makes it challenging for in- 
dividual consumers to understand and manage the uses of their personal data even 
if they are technically adept. 

The Commerce Internet Policy Task Force has engaged with a broad array of 
stakeholders, including companies, consumer advocates, academic privacy experts, 
and other government agencies. Our work produced the Task Force’s “Green Paper” 
on consumer data privacy in the Internet economy on December 16, 2010.“^ The pri- 
vacy Green Paper made ten separate recommendations on how to strengthen con- 
sumer data privacy protections while also promoting innovation, but it also brought 
to light many additional questions. 

The comments we received on the privacy Green Paper from business, academics, 
and advocates informed our conclusion that the U.S. consumer data privacy frame- 
work will benefit from legislation that establishes a clearer set of rules for busi- 
nesses and consumers, while preserving the innovation and free flow of information 
that are hallmarks of the Internet. This conclusion reflects two tenets. First, to har- 
ness the full power of the Internet, we need to establish norms and ground rules 
for uses of information that allow for innovation and economic growth while respect- 
ing consumers’ legitimate privacy interests. Consumer groups, industry, and leading 
privacy scholars agree that a large percentage of Americans do not fully understand 
and appreciate what information is being collected about them, and how they are 


2/d. 

2 U.S. Dept, of Commerce, Commerce Secretary Locke Announces Public Review of Privacy 
Policy and Innovation in the Internet Economy, Launches Internet Policy Task Force, Apr. 21, 
2010, http'.l I wwiv.commerce.gov I print ! news ! press-releases 1 2010 ! 04 1 21 j comnierce-secretary-loc 
ke-announces-public-review-privacy-policy-and-i. 

^Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy 

Framework, Dec. 16, 2010, http: ! / www.ntia.doc.gov I reports ! 2010 ! IPTF Privacy GreenPaper 

_12162010.pdf. 
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able to stop certain practices from taking place.® Second, as we go about estab- 
lishing these privacy guidelines, we also need to be careful to avoid creating an 
overly complicated regulatory environment.® 

III. Strengthening Our Consumer Data Privacy Framework Through 
Baseline Protections 

To achieve these goals, the Administration recommended legislation to establish 
baseline consumer data privacy protections that will apply in commercial contexts 
and help hll in gaps in current privacy laws. These protections should be flexible, 
enforceable at law, and serve as the basis for both enforcement and development 
of enforceable codes of conduct that specify how the legislative principles apply in 
specihc business contexts. Though we are still reviewing the details of the various 
bills introduced, we note they generally adopt an approach of defining baseline obli- 
gations for companies that handle personal data; giving the FTC enforcement au- 
thority; and encouraging the development of industry-specific codes of conduct to im- 
plement these baseline requirements. 

A. Enacting a Consumer Privacy Bill of Rights 

The Administration recommended that statutory baseline protections for con- 
sumer data privacy be enforceable at law and based on a comprehensive set of Fair 
Information Practice Principles (FIPPs). In the Department of Commerce Green 
Paper, we drew from existing statements of FIPPs as a starting point for principles 
that should apply in the commercial context, in particular the original principles de- 
veloped by the Department of Health, Education and Welfare in 1973’’ and elabo- 
rations developed by the Organisation for Economic Co-operation and Development 
(OECD).® As we are developing in the Administration’s forthcoming privacy White 
Paper, we seek to adapt these principles to the interactive and interconnected world 
of today. We are considering how best to incorporate principles that enable greater 
individual control over personal data and respect for the context in which such data 
was collected and that bring commercial data practices into alignment with reason- 
able consumer expectations. Notice and choice are fundamental to privacy protec- 
tion, but today a more dynamic and holistic approach to privacy protection is need- 
ed, and obligations must be enforceable against the organizations that collect, use, 
and disclose personal data. 

The Administration looks forward to working with Congress and stakeholders to 
define these protections and enforcement authorities further and enact them into 
law. 

B. Implementing Enforceable Codes of Conduct Developed Through Multi- 
Stakeholder Processes 

The Administration called for a dual approach to privacy protection, coupling leg- 
islative protection enshrined in a consumer privacy bill of rights with the adoption 


®A11 comments that the Department received in response to the Green Paper are available 
at http:! ! www.titia.doc.gov I comments 1 101214614-0614-01 /. 

®For industry comments in support of legislation, see, e.g., Intel Comment at 3 (“We disagree 
with the arguments some have advocated against the adoption of legislation, particularly that 
privacy legislation would stifle innovation and would hinder the growth of new technologies by 
small businesses. Instead, we believe that well-crafted legislation can actually enable small busi- 
ness e-commerce growth.”); Google Comment at 2 (supporting “the development of a comprehen- 
sive privacy framework for commercial actors . . . that create[s] a baseline for privacy regula- 
tion that is flexible, scalable, and proportional”). For consumer groups and civil liberties’ organi- 
zations comments in support of legislation, see, e.g., Center for Democracy and Technology, 
Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 2 (“CDT has long 
argued and continues to believe that the only way to implement a commercial data privacy 
framework that fully and effectively incorporates all the Fair Information Practice Principles is 
through baseline privacy legislation.”); Center for Digital Democracy and USPIRG, Comment on 
Department of Commerce Privacy Green Paper, at 21 (“[W]e urge the adoption of regulations 
that will ensure that consumer privacy online is protected. The foundation for such protection 
should be the implementation of Fair Information Practices for the digital marketing environ- 
ment.”); Consumers Union, Comment on Department of Commerce Privacy Green Paper, Jan. 
28, 2011, at 2 (“Consumers Union supports the adoption of a privacy framework that will protect 
consumer data both online and offline. . . . CU believes this comprehensive privacy framework 
should be grounded in statute. . . .”); Privacy Rights Clearinghouse, Comment on Department 
of Commerce Privacy Green Paper, Jan. 28, 2011, at 2 (“[NJoting that consumer trust is pivotal 
to commercial success online, and that it has diminished with industry self-regulatory practices, 
PRC advocates comprehensive federal FIPPs-based data privacy legislation.”). 

See U.S. Dept, of Health, Education and Welfare, Records, Computers and the Rights of Citi- 
zens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, July 
1973, http: / ! aspe.hhs.gov / datacncl / 1973privacy / tocprefacemembers.htm. 

® See OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 
http:! i www.oecd.org / document 1 18 / 0,3343,en 2649 34255 1815186 1 1 1 l,00.html. 
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of legally enforceable codes of conduct developed through a multi-stakeholder proc- 
ess. The process should permit everyone who has a stake in privacy — companies, 
consumers, civil liberties advocates, academics, and others — to work together to take 
the statutory baseline privacy protections and expand them into legally enforceable 
best practices or codes of conduct. In such a process, the government is an active 
participant, a convener that brings together all participants and facilitates discus- 
sions, but does not prescribe the outcome. This process should be open to any person 
or organization that is willing to participate in the hard work of engaging with other 
stakeholders to resolve any substantive differences fairly and openly. 

The Administration believes that the flexibility provided by multi-stakeholder 
processes could offer the most effective solution to the challenges posed hy a rapidly 
changing technological, economic, and social environment. This recommendation re- 
flects the Department’s view that government must support policy development 
processes that are nimble enough to respond quickly to consumer data privacy 
issues as they emerge and that incorporate the perspectives of all stakeholders to 
the greatest extent possible. A well-crafted multi-stakeholder process will allow 
stakeholders to address privacy issues in new technologies and business practices 
without the need for additional legislation, permit stakeholders to readily reexamine 
changing consumer expectations, and enable stakeholders to identify privacy risks 
early in the development of new products and services. 

Multi-stakeholder processes can be well suited for illuminating the policy tradeoffs 
inherent in such ideas like data breach notification, data security compliance, and 
Do-Not-Track. Starting with the commercialization of the Internet, the FTC has 
used a variety of stakeholder engagements to develop consumer data privacy poli- 
cies. Its current work on Do-Not-Track carries on this history, and I applaud the 
leadership of Chairman Leibowitz,® as well as browser developers, Internet compa- 
nies, standards organizations, privacy advocates, and others to provide options for 
greater control over personal information that may be used for online tracking. 
The development of safe harbor programs is another task that can be addressed 
through the multi-stakeholder process recommended in the Commerce Green Paper. 

C. Strengthening the FTC’s Authority 

Bolstering the FTC’s enforcement authority is a key element of the Administra- 
tion’s proposed framework. In addition to its leadership in developing consumer data 
privacy policy, the FTC plays a vital role as the nation’s independent consumer pri- 
vacy enforcement authority for non-regulated sectors. Granting the FTC explicit au- 
thority to enforce baseline privacy principles would strengthen its role in consumer 
data privacy policy and enforcement, resulting in better protection for consumers 
and evolving standards that can adapt to a rapidly evolving online marketplace. 

D. Establishing Limiting Principles on Consumer Data Privacy Legislation 

As the Committee considers consumer data privacy legislation, I would like to re- 
iterate the Administration’s views on the limitations that Congress should observe 
in crafting legislation that strengthens consumer privacy protections and encourages 
continuing innovation. Legislation should not add duplicative or overly burdensome 
regulatory requirements to businesses that are already adhering to the principles 
in baseline consumer data privacy legislation. Legislation should be technology-neu- 
tral, so that firms have the flexibility to decide how to comply with its requirements 
and to adopt business models that are consistent with baseline principles but use 
personal data in ways that we have not yet contemplated. Furthermore, domestic 
privacy legislation should provide a basis for greater transnational cooperation on 
consumer privacy enforcement issues, as well as more streamlined cross-border data 
flows and reduced compliance burdens for U.S. businesses facing numerous foreign 
privacy laws. 

TV. The Department of Commerce’s Next Steps on Internet Privacy Policy 

As discussion of consumer privacy legislation moves forward, the Department of 
Commerce will continue to make consumer data privacy on the Internet a top pri- 
ority. We will convene Internet stakeholders to discuss how best to encourage the 
development of enforceable codes of conduct, in order to provide greater certainty 
for businesses and necessary protections for consumers. The past 15 years have 
shown that self-regulation without government leadership can he sporadic and in- 


^See Statement of the Federal Trade Commission, before the Committee on Commerce, 
Science, and Transportation, U.S. Senate, Mar. 16, 2011, http: ! t www.ftc.gov ! os I testimony ! 
11031 6consumerprivacysetiate.pdf. 

i°See, e.g., W3C Workshop on Web Tracking and User Privacy, Apr. 28-29, http:ll 
www.w3.org ! 2011 ! track-privacy ! (collecting position papers and reporting on a workshop dis- 
cussion of technical and policy approaches to limit web tracking). 
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sufficiently motivated. The Department received significant stakeholder support for 
the recommendation that it play a central role in convening stakeholders. A broad 
array of organizations, including consumer groups, companies, and industry groups, 
announced their support for the Department to help coordinate outreach to stake- 
holders to work together on enforceable codes of conduct.^^ This will be led by the 
National Telecommunications and Information Administration (NTIA) but would in- 
volve all relevant Commerce components, just as NTIA supports NIST’s effort to 
convene stakeholders to discuss privacy issues that may arise in the implementation 
of the National Strategy for Trusted Identities in Cyberspace (NSTIC),^^ and ITA 
administers efforts relating to the U.S.-EU Safe Harbor Agreement and the Asia- 
Pacific Economic Cooperation’s (APEC) Cross-Border Data Privacy Rules. Through 
the National Science and Technology Council subcommittee I co-chair with Assistant 
Attorney General Christopher Schroeder, it will involve other Federal Government 
components, including the FTC. 

The Department will also continue to work with others in the Federal Govern- 
ment to develop the Administration policy on data security. Without data security, 
there can be no effective data privacy. Last month, the Administration submitted 
a legislative proposal to improve cybersecurity, which includes a national data 
breach reporting provision, Such a law would help businesses by simplifying and 
standardizing the existing patchwork of 47 state laws with a single, clear, nation- 
wide requirement, and would help ensure that consumers receive notification, when 
appropriate standards are met, no matter where they live or where the business op- 
erates. 

Earlier this month, the Department of Commerce released a green paper on Cy- 
bersecurity, Innovation, and the Internet Economy directed at increasing security 
beyond core critical infrastructure in the vital Internet and information technology 
sectors. We are currently soliciting comments from stakeholders to help us develop 
this critical strategy, with the goal of improving security at home and around the 
world so that Internet services can continue to provide a vital connection for trade 
and commerce, as well as for civic participation and social interaction. 

The Department will also support the Administration’s efforts to encourage global 
interoperability by stepping up our engagement in international polic^aking bod- 
ies. U.S. enterprises continue to incur substantial costs complying with disparate 
data privacy laws around the world. The need to comply with different privacy laws 
can lead to compartmentalization of data and privacy practices, can require a sig- 
nificant expenditure of time and resources, and can even prevent market access. 
Consistent with the National Export Initiative goal of decreasing regulatory barriers 
to trade and commerce, the Department will work with our allies and trading part- 
ners to facilitate cross-border data flows by increasing the global interoperability of 
privacy frameworks. Privacy laws across the globe are frequently based on similar 
values and a shared goal of protecting privacy while facilitating global trade and 
growth. The Department will work with our allies to find practical means of bridg- 
ing any differences, which are often more a matter of form than substance. Specifi- 
cally, the Department will work with other agencies to ensure that global privacy 
interoperability builds on accountability, mutual recognition and reciprocity, and en- 
forcement cooperation principles pioneered in the OECD and APEC. The continued 
development of agreements with other privacy authorities around the world, coordi- 
nated with the State Department and other key actors in the Federal Government, 
could further reduce significant business global compliance costs. 

Congressional action in this area at this time can have a significant global impact. 
The Administration’s work on consumer data privacy is having a significant and 
positive effect on our discussions with members of the European Union. Cne illus- 


e.g., Center for Democracy and Technology, Comment on Department Privacy Green 
Paper, Jan. 28, 2011, at 15; Consumers Union, Comment on Department Privacy Green Paper, 
Jan. 28, 2011, at 2—3; Microsoft, Comment on Department Privacy Green Paper, Jan. 28, 2011, 
at 6; Walmart, Comment on Department Privacy Green Paper, Jan. 28, 2011, at 2; Intel, Com- 
ment on Department Privacy Green Paper, Jan. 28, 2011, at 7; Google, Comment on Department 
Privacy Green Paper, Jan. 28, 2011, at 5; Facebook, Comment to Department Privacy Green 
Paper, Jan. 28, 2011, on 13; and Yahoo!, Comment on Department Privacy Green Paper, Jan. 
28, 2011, at 11. 

i^National Strategy for Trusted Identities in Cyberspace (NSTIC), Apr. 15, 2011, http:! ! 
www.whitehouse.gov i sites i default i files i rss viewerlNSTICstrategy_041511.pdf. 

^^See Export.gov, Welcome to the U.S.-EU and U.S. -Swiss Safe Harbor Frameworks (last up- 
dated Mar. 31, 2011), http: i ! www.export.gov i safeharbor j . 

^"^See Statement for the Record of Philip Reitinger, Deputy Under Secretary, National Protec- 
tion and Programs Directorate, before the Senate Homeland Security and Governmental Affairs 
Committee: “Protecting Cyberspace: Assessing the White House Proposal,” May 23, 2011. 

Cybersecurity, Innovation and the Internet Economy, June 11, 2011, http:! j www.nist.gov i 
itl / upload / Cybersecurity Green-Paper_FinalVersion.pdf. 
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tration of this direction comes from a May 18, 2011, speech about the reform of the 
EU Data Protection Directive by European Justice Commissioner Viviane Reding. 
Commissioner Reding stated that “EU-U.S. cooperation on data protection is crucial 
to protect consumers and enhance legal security for businesses online. I welcome a 
draft Bill of Rights just introduced in the U.S. Congress as a bipartisan initiative 
of Democrats and Republicans.” Commissioner Reding also stated that “[t]his is a 
good opportunity to strengthen our transatlantic cooperation.” Last week I was in 
Budapest to speak with European data privacy commissioners and, while we have 
much further to go in our discussions with Europe, and much remains uncertain 
about the final shape of the EU’s revised Data Privacy Directive, we see encour- 
aging signs of potential for interoperability and harmonization from the other side 
of the Atlantic. U.S. enactment of legislation establishing comprehensive commercial 
data privacy protections will help. Strong leadership in this area could form a model 
for our partners currently examining this issue, and prevent fragmentation of the 
world’s privacy laws and its concomitant increase in compliance costs to our busi- 
nesses that conduct international trade. 

V. Conclusion 

Mr. Chairman, thank you again for the opportunity to provide our views on legis- 
lation to protect consumer privacy and promote innovation in the 21st Century. We 
look forward to working with you, the ETC and other federal agencies, the Executive 
Office of the President, and other stakeholders toward enactment of these consumer 
data privacy protections. I welcome any questions you have for me. Thank you. 

The Chairman. Your statement will be included in the record. 

Mr. Kerry. Thank you. 

The Chairman. And thank you for your testimony. 

Mr. Schlick. 

STATEMENT OF AUSTIN C. SCHLICK, GENERAL COUNSEL, 
FEDERAL COMMUNICATIONS COMMISSION 

Mr. Schlick. Good morning, Chairman Rockefeller, members of 
the Committee. Thank you for this opportunity to discuss the pro- 
grams of the Federal Communications Commission to protect con- 
sumer privacy and data security. I am particularly pleased to be 
here this morning with two strong partners in that effort, the De- 
partment of Commerce and the Federal Trade Commission. 

The FCC has decades of experience implementing privacy protec- 
tion statutes. These include provisions of the Communications Act 
that required communications providers to safeguard their cus- 
tomers’ personally identifiable information, as well as provisions to 
protect consumers against unwanted telephone and fax solicita- 
tions. 

At the same time, increased use of personal data in connection 
with new online and wireless applications is raising serious privacy 
and security concerns. As the FCC recognized in the National 
Broadband Plan, successfully addressing these concerns will be 
critical to increasing adoption and deployment of technologies that 
benefit consumers, government, and the economy. 

The Commission historically has focused on three privacy related 
goals: ensuring that personal information is protected from misuse 
and mishandling, requiring providers to be transparent about their 
practices, and enabling consumers to make informed decisions. 
These goals remain our primary focus as we implement the various 
sections of the Communications Act that directly impact privacy. 

For example. Section 222 of the Communications Act requires 
telecommunications carriers and interconnected Voice-over-Internet 
Protocol providers to secure customer proprietary network informa- 
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tion, which is known as CPNI. CPNI includes consumers’ call 
records and call information. 

Under Section 222, the FCC has adopted rules addressing the 
handling, use, and sharing of CPNI. We have also adopted rules to 
prevent pretexting, a practice under which unauthorized third par- 
ties attempt to gain access to telephone subscribers’ personal infor- 
mation. 

Through our rulemakings and enforcement, we have resolved dif- 
ficult issues such as when opt-in and opt-out notifications are ap- 
propriate, minimum notice standards, data sharing rules, reason- 
able data security measures, and notification to law enforcement 
and consumers in the event of data breaches. In just the last 6 
months, the Commission issued 28 warnings and notices of appar- 
ent liability for various CPNI violations. Because of our active en- 
forcement and education efforts, the Section 222 protections are 
now well-known and well understood, and the number of consumer 
complaints the FCC receives on CPNI issues has declined steadily. 

Sections 338 and 631 of the Communications Act also protect 
personal information. These provisions establish requirements for 
satellite and cable television providers’ treatment of their sub- 
scribers’ personally identifiable information. The requirements in- 
clude clear and conspicuous notice about collection and use of sub- 
scribers’ personal data, limiting disclosure of personal data, and 
remedies for subscribers who suffer a violation of these provisions. 

Working in parallel with the FTC, the FCC adopted do-not-call 
regulations under Section 227 of the Communications Act. Since 
2009, we have issued nearly 150 warnings, citations, and other ac- 
tions for do-not-call violations. The FCC and the FTC also collabo- 
rate on implementation of the CAN-SPAM Act, with the FCC 
adopting rules that prohibit sending unwanted commercial e-mail 
messages to wireless accounts without prior permission. The FCC 
and the Department of Justice enforce Section 705 of the Commu- 
nications Act which prohibits unauthorized interception of radio 
communications and unauthorized disclosure of wire or radio com- 
munications. 

The FCC supports consumer education in the areas of privacy 
and information security. The FCC is a partner in OnGuard-On- 
line, an online initiative led by the FTC that helps consumers 
guard against Internet fraud and identity theft, protect their chil- 
dren’s personal information, and avoid e-mail and phishing scams. 
The FCC also is a member of the National Initiative for Cyber secu- 
rity Education partnership led by the Department of Commerce. 

Just yesterday, we held a workshop of the Commission on loca- 
tion-based wireless services and privacy issues that they raise. At 
this webcast event in which the FTC participated, we gathered in- 
formation from wireless carriers, application developers, and busi- 
ness and academic leaders about trends in the development and 
use of location-based services, industry best practices for protecting 
personal information, and what consumers and parents should 
know about protecting themselves when using these services. We 
heard about the many potential benefits of location-based tech- 
nologies, as well as the challenges of educating consumers to pro- 
tect their privacy while using these new products and services. 
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The FCC brings to these issues accumulated privacy expertise, as 
well as expertise about new communications technologies and serv- 
ices. Protecting privacy is a necessary part of providing commu- 
nications services. So, too, it is part of the FCC’s mandate to pro- 
mote a healthy and competitive communications marketplace that 
meets consumers’ needs. 

Thank you for this opportunity to testify today, and I look for- 
ward to your questions. 

[The prepared statement of Mr. Schlick follows:] 

Prepared Statement of Austin C. Schlick, General Counsel, 

Federal Communications Commission 

Good morning Chairman Rockefeller, Ranking Member Hutchison, and members 
of the Committee. Thank you for this opportunity to discuss the Federal Commu- 
nications Commission’s programs to protect consumer privacy. I am particularly 
pleased to be here with representatives of two strong partners in this effort, the De- 
partment of Commerce and the Federal Trade Commission. 

The FCC has decades of experience implementing privacy protection statutes. 
These include provisions of the Communications Act that require communications 
providers to safeguard their customers’ personally identifiable information, as well 
as provisions that protect consumers against unwanted telephone and fax solicita- 
tions. 

At the same time, increased use of personal data in connection with new online 
and wireless applications is raising serious privacy and security concerns. As the 
FCC recognized in the National Broadband Plan, successfully addressing these con- 
cerns will be critical to increasing adoption and deployment of technologies that ben- 
efit consumers, government, and the economy. 

The Commission historically has focused on three privacy-related goals: ensuring 
that personal information is protected from misuse and mishandling; requiring pro- 
viders to be transparent about their practices; and enabling consumers to make in- 
formed decisions. These goals remain our primary focus as we implement the var- 
ious sections of the Communications Act that directly impact privacy. 

For example, Section 222 of the Communications Act requires telecommunications 
carriers and interconnected Voice over Internet Protocol providers to secure cus- 
tomer proprietary network information, which is known as CPNI. CPNI includes 
consumers’ call records and call-location information. 

Under Section 222, the FCC has adopted rules addressing the handling, use, and 
sharing of CPNI. We also have adopted rules to prevent pretexting, a practice by 
which unauthorized third parties attempt to gain access to telephone subscribers’ 
personal information. Through our rulemakings and enforcement, we have resolved 
difficult issues such as when opt-in and opt-out notifications are appropriate, min- 
imum notice standards, data sharing rules, reasonable data security measures, and 
notification to law enforcement and consumers in the event of data breaches. 

In just the last 6 months, the Commission issued 28 warnings and Notices of Ap- 
parent Liability for various CPNI violations. Because of our active enforcement and 
education efforts, the Section 222 protections are now well-known and well-under- 
stood, and the number of consumer complaints the FCC receives on CPNI issues has 
declined steadily. 

Sections 338 and 631 of the Communications Act also protect personal informa- 
tion. These provisions establish requirements for satellite and cable television pro- 
viders’ treatment of their subscribers’ personally identifiable information. The re- 
quirements include clear and conspicuous notice about collection and use of sub- 
scribers’ personal data, limiting disclosure of personal data, and remedies for sub- 
scribers who suffer a violation of these provisions. 

Working in parallel with the FTC, the FCC adopted “Do-Not-Call” regulations 
under Section 227 of the Communications Act. Since 2009, we have issued nearly 
150 warning citations for Do-Not-Call violations. The FCC and the FTC also collabo- 
rate on implementation of the CAN-SPAM Act, with the FCC adopting rules that 
prohibit sending unwanted commercial e-mail messages to wireless accounts with- 
out prior permission. 

The FCC and the Department of Justice enforce Section 705 of the Communica- 
tions Act, which prohibits unauthorized interception of radio communications and 
unauthorized disclosures of wire or radio communications. 
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The FCC supports consumer education in the areas of privacy and information se- 
curity. The FCC is a partner in On Guard Online, an online initiative led by the 
FTC that helps consumers guard against Internet fraud and identity theft, protect 
their children’s personal information, and avoid e-mail and phishing scams. The 
FCC also is a member of the National Initiative for Cybersecurity Education part- 
nership led by the Department of Commerce. 

Just yesterday, we held a workshop at the Commission on location-based wireless 
services and the privacy issues they raise. At this webcast event in which the FTC 
participated, we gathered information from wireless carriers, application developers, 
and business and academic leaders about trends in the development and use of loca- 
tion-based services, industry best practices for protecting personal information, and 
what consumers and parents should know about protecting themselves while using 
these services. We heard about the many potential benefits of location-based tech- 
nologies, as well as the challenges of educating consumers to protect their privacy 
while using these new products and services. 

The FCC brings to these issues accumulated privacy expertise, as well as exper- 
tise about new communications technologies and services. Protecting privacy is a 
necessary part of providing communications services. So too, it is part of the FCC’s 
mandate to promote a healthy and competitive communications marketplace that 
meets consumers’ needs. 

Thank you for the opportunity to testify today, and I look forward to your ques- 
tions. 

The Chairman. Thank you, Mr. Schlick. 

We’re going to proceed to the questions. And as for myself, they’ll 
be rather rapid, because we do have votes at 11 o’clock, and that’s 
very disconcerting to me. The Majority Leader failed to check with 
me about the convenience of the Commerce Committee. So I’ll do 
the best I can. I’m going to ask these fairly quickly. 

Commissioner Brill, as you know. Senator Pryor and I have in- 
troduced S. 1207, the Data Security and Breach Notification Act. 
What are your thoughts on this bill, quickly? 

Ms. Brill. The Commission supports strong federal legislation 
dealing with data security and breach notification, just like this 
bill. And this bill does satisfy the requirements of such a strong 
protective bill. 

The Chairman. Thank you. Our bill gives the Federal Trade 
Commission rulemaking authority to require companies with large 
databases to adopt security protocols to protect consumer data. Do 
you think companies are doing enough to maximize protection of 
their databases? 

Ms. Brill. Companies can do more. We have brought many data 
security cases over the past several years. We’ve investigated many 
more. We are not seeing cases that are close calls. These are cases 
where companies are falling down on basic security measures, 
sometimes not even following their own security procedures. So, 
yes, companies can definitely do more in the area of data security. 

The Chairman. I thank you. To follow up, the Commission has 
taken numerous enforcement actions against companies like Twit- 
ter for not adequately securing consumer information. Can you talk 
about how Senator Pryor’s and my bill will complement your exist- 
ing enforcement efforts? 

Ms. Brill. It actually will complement our efforts very well. Not 
only does it set forth some basic security processes and procedures, 
like having an officer focused on privacy, having within companies 
a process to deal with — excuse me — an officer focused on security 
and having in place processes to deal with security, but it also 
gives us broad rulemaking authority which will be very helpful. 
And, most importantly, I think, from my perspective, it gives us 
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civil penalty authority which, I think, will incentivize companies to 
improve their security practices before they ever have to deal with 
us. 

The Chairman. Thank you. Incidentally, you’re going to keep 
your building. Don’t worry about it. 

Ms. Brill. Thank you. 

The Chairman. Mr. Kerry, the Department of Commerce has 
also cause for a national data security legislation. Do you have any 
opinions on the bill that Senator Pryor and I have introduced? 

Mr. Kerry. Senator Rockefeller, the bill certainly responds to the 
need for national legislation. One of the important drivers in the 
area of privacy has been the adoption of breach notification laws 
by states. There are now some 47 states that have them. 

But in order to make those consistent and to drive the issue na- 
tionally, there is a need for national data breach notification laws. 
It is part of the Administration’s cyber security package. And I 
thank you. Senator, for your leadership in helping to drive that 
issue. 

The Chairman. Thank you, sir. 

Commissioner Brill? 

Ms. Brill. Yes. 

The Chairman. How does the FTC work with the Department of 
Justice on data security issues under current law? 

Ms. Brill. Generally speaking 

The Chairman. I haven’t finished. 

Ms. Brill. Excuse me. 

The Chairman. But my questioning is of clear purpose. Do you 
have a good working relationship that adequately furthers the pub- 
lic interest of protecting consumers and prosecuting criminals, or 
do we need to grant Justice more authority than it already pos- 
sesses? 

Ms. Brill. It is important for the Department of Justice to have 
all the tools that it needs to go after folks who are hacking into 
databases. And to the extent that they feel that they need more 
tools, we, obviously, would support that. 

But at the same time, it’s critically important to recognize that 
we’re never going to be able to catch all the criminals. We’re never 
going to be able to catch all the hackers. 

So what’s critically important and what your bill, I think, does 
very well is it ensures that companies are going to shore up their 
data protection practices in the first instance so they aren’t affected 
by hacks to the extent that we can prevent that. And that’s why 
we appreciate your bill and what it does, especially in incentivizing 
companies to have good, strong programs in place, for instance, 
through the civil penalty provision. 

The Chairman. Thank you. I’ve got 40 seconds left. Commis- 
sioner Brill, many companies are already offering consumers the 
ability to use web browsers that have a do-not-track mechanism on 
them. However, when consumers use this feature, no one is hon- 
oring this request except for one company, which would happen to 
be the Associated Press. 

As of now, do you think the FTC can take action against con- 
sumers that do not honor a consumer’s do-not-track request? 
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Ms. Brill. Action against companies that don’t honor it? If a 
company promises to honor a consumer’s request, or an ad network 
promises to honor a consumer’s request, then we can proceed fairly 
easily if they breach that promise through our deception enforce- 
ment jurisdiction. 

But if a company does not make a promise to adhere to a con- 
sumer’s request, then our jurisdictional test is a little bit more dif- 
ficult to meet. We fall under our unfairness jurisdiction, and there 
are some challenges in meeting that kind of a test in a scenario 
like you’ve described. It would depend on the facts and cir- 
cumstances. 

The Chairman. I thank you. 

Senator Kerry? 

Senator Kerry. Thank you. Senator Rockefeller. I was struck by 
the opening, frankly, comments of Senator Toomey, the Ranking 
Member of the Subcommittee. And I think it’s important if — if 
some of those questions are being raised, it’s really important that 
they be addressed here. 

And I wasn’t planning to, but I want to use the time, because 
we’ve got a problem here in trying to get a general consensus and 
pass legislation if there’s not a baseline level of understanding or 
acceptance of what we’re dealing with. Senator Toomey, in fairness, 
is at another hearing that he has to be at in the Banking Com- 
mittee. But I want the record to at least reflect the answers to this, 
and I know his staff will help make sure that he sees them. 

But, you know, he stated very clearly the question. He raised the 
question of whether or not this is a solution in search of a problem 
and, in addition, wondered sort of what the harm is out there. 

I think it’s really important for the three of you to address that 
very directly. What is the harm? Is there harm or isn’t there harm? 
Is this worth a national response? Is it imperative to have a na- 
tional response? And, if so, can one be constructed without the un- 
intended consequences of harming commerce and the open architec- 
ture? 

I’ve been on this committee for a long time now, and I have 
fought diligently to protect the open architecture, not to tax, have 
net neutrality, do all the things necessary. But I do believe that it’s 
imperative to have some kind of standard by which people are act- 
ing here. 

So I want to begin with you. Commissioner Brill, since your regu- 
latory agency is particularly in the line of fire on this, and then go 
to the Communications and end with the Commerce Department, 
if we could. But what is the harm? Is there harm? Is it real? Why 
do we — what should be compelled? And is this, indeed, a solution 
looking, you know, for a problem? 

Ms. Brill. I don’t believe the focus on privacy protection is a so- 
lution looking for a problem. I think right now, consumers are very 
unaware of what’s happening with their information, as I tried to 
communicate in my opening statement. 

Just with respect to privacy notices, for instance, as one example, 
and thinking about mobile technology, there have been studies that 
have shown that apps which a lot of young people are using — teen- 
agers, young adults — many of them don’t even have any kind of 
privacy policy whatsoever. To the extent that they do have a pri- 
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vacy policy, it often requires consumers to click through literally 
over a hundred screens in order to read the privacy policy. 

This just isn’t reasonable to expect consumers to be able to do 
that in this modern technological age. So we need to come up with 
some solutions that fit the new technology that give consumers in- 
formation that they need about how their information is being 
used, and then giving them some choices about it. 

Mr. SCHLICK. Senator Kerry, there absolutely is a problem. We’ve 
seen that in our own Section 222 

Senator Kerry. Also, is there harm? 

Mr. ScHLiCK. Yes. 

Senator Kerry. Is there harm here? 

Mr. SCHLiCK. — in Section 222 implementation — to give you a con- 
crete example, pretexting. The Electronic Privacy Information Cen- 
ter came to us a few years ago and identified the problem of data 
being insufficiently secure and being taken out through the 
pretexting practices on false pretenses and sold commercially to the 
harm of consumers. So this was one instance where we conducted 
a rulemaking and were able to adopt rules to limit and end that 
practice. 

Our National Broadband Plan looks beyond the harmed individ- 
uals and to the harm of the economy. A key finding of the 
Broadband Plan was that if consumers and application developers 
don’t understand and trust the rules for privacy protection that are 
built into the system, then the adoption by consumers, the deploy- 
ment by network operators of broadband technologies will be 
harmed. 

We saw this again in our location-based service forum yesterday, 
where consumer groups and industry agreed that there is a need 
for clear rules of the road so that there will be an ability and a 
willingness to use these services for the benefit of consumers as 
well as industry. 

Mr. Kerry. Senator, let me say that our support for legislation 
comes from an extensive exchange with members of the public, 
with members of the business community, who broadly, across a 
spectrum of the business community, retail industries, as well as 
technology industries, as well as companies engaged in inter- 
national trade, said to us that there was a need for government ac- 
tion and privacy protection. And it’s unusual for a government 
agency to propose regulation and to have a wide spectrum of the 
business community as well as consumers and others endorse that 
proposal. But that’s precisely what occurred when we put out the 
commerce green paper in December. 

I think what that stems from is the critical need for trust in the 
sector. Let me tell you the story of a policy conference that I par- 
ticipated in a couple of years ago with a spectrum of people from 
business, from government, from academia, across the political 
spectrum, given the exercise to identify key risks and key drivers 
to the digital economy and to the development of broadband. And 
working in four separate groups looking at scenarios, every single 
one of them came up with the same risks, the same drivers. And 
every single one of them independently framed it in the same way 
as trust. And I think, if we look today at the wave of breaches that 
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Senator Rockefeller alluded to, you know, we are facing a higher 
risk scenario in which trust is eroding. 

And, you know, there are a lot of companies that have good prac- 
tices, that understand the importance of trust to their business 
models, their survival. There are malicious actors and outliers 
there who exploit that trust. 

The Chairman. Thank you. Senator. 

Senator Wicker. 

STATEMENT OF HON. ROGER F. WICKER, 

U.S. SENATOR FROM MISSISSIPPI 

Senator Wicker. Mr. Chairman, I’m going to yield my time. I 
hope we’re able to get to the second panel before the series of seven 
votes begins. 

The Chairman. We won’t, but we’re coming back. OK. We have 
no choice. 

Senator Wicker. I understand that, and I yield my time. 

The Chairman. All right. 

Then Senator Ayotte. 

STATEMENT OF HON. KELLY AYOTTE, 

U.S. SENATOR FROM NEW HAMPSHIRE 

Senator Ayotte. Thank you, Mr. Chairman. 

Mr. Kerry, I understand that the Department of Commerce has 
led this Internet Policy Task Force. But could you also explain for 
us what the role of the Department of Commerce would be? Do you 
envision any enforcement role going forward? I mean, obviously. 
I’m pretty clear as to what the FTC and FCC’s role is, but if you 
can help us with that 

Mr. Kerry. Senator Ayotte, no, we do not envision an enforce- 
ment role. The FTC is a critical policymaker and the nation’s en- 
forcement authority over a broad area other than specific sectoral 
regimes like communications, like health records. And we believe 
that that role should be strengthened. 

The role of the Department of Commerce is as a convener, as a 
policy leader for the Executive Branch. It’s important that the Ex- 
ecutive Branch have a voice in the process, that we be part of the 
debate, as we are here today. But we have worked closely with the 
ETC in developing policy in this area. We would continue to do so. 

Senator Ayotte. Thank you. 

Commissioner Brill, I wanted to follow up on — as I know you 
share a history at the Attorney General’s office 

Ms. Brill. Exactly. 

Senator Ayotte. — in Vermont, so welcome. 

Ms. Brill. Thank you. 

Senator Ayotte. And I wanted to ask about the enforcement 
piece of, for example, a proposal for do-not-track legislation. And, 
particularly, when we get on areas where we’re focused on a par- 
ticular kind of technology, given the changes that we can see hap- 
pen in the technology field, (a), how would you anticipate that we 
would — the enforcement mechanism would work for something like 
a do-not-track registry, number one. And then, second, do you have 
any concerns that a do-not-track policy could take away some of the 
tools that consumers have? 
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There have been some studies that show that this could harm on- 
line advertising. So I wanted to get your thoughts on those two 
issues. 

Ms. Brill. Sure. So just to be clear, Senator Ayotte, it would not 
be a registry. What we’re talking about is a technology-driven solu- 
tion that would be generated through browser companies or ad net- 
works themselves or advertisers themselves. 

In terms of enforcement, what we — we do want to see a strong 
enforcement component, whether it becomes a mechanism — or a 
mechanism set up by industry itself, or whether it gets set up 
through legislation. The key component in an enforcement mecha- 
nism is that those who receive the messages from consumers about 
the choices that they are making will honor them. And once we are 
assured, either through a self-regulatory mechanism or through 
legislation, that the receipt of a header or a cookie or whatever the 
technology is — when an entity receives that message — that they 
promise they will honor it. Then we have an enforcement tool. 

So that’s a critical piece here. And that is certainly something 
that we’re looking to see happen in the industry-driven efforts that 
are currently underway. 

OK. Your other point about could it take away the benefits — you 
know, there has been discussion about whether or not an over- 
whelming number of consumers would participate and, therefore, it 
would drive away the free content that’s currently available on the 
Web. My view is that, actually, what will happen is consumers will 
have much more trust in what’s happening on the Internet if they 
understand that the choice is available to them to make granular 
choices about what will happen with their information, how it will 
be used, and how it will be collected. 

I actually don’t expect that we’ll see a whole lot of consumers 
opting into the system, I mean, you know, choosing to participate. 
But what it will do is it will, I think, give — just engender a huge 
amount of trust, which I think will actually cause the industry to 
thrive even more. I think that’s the critical component here that I 
haven’t heard a lot of discussion about. 

Senator Ayotte. And just to be clear, just so I understand, in 
terms of issues — for example, a do-not-track issue — you envision 
that this could be something implemented by industry as opposed 
to us in Congress coming up — because one of the issues I see in 
terms of implementation is for us to come up with a solution that 
will work in application is a very difficult task. And, often, we 
aren’t the best ones to come up with those solutions. 

Ms. Brill. It can be done by industry. And we have called — a 
majority of the Commissioners have called on industry to step up 
to the plate. I have been a particularly vocal proponent of industry 
proceeding in a self-regulatory manner. 

I think it has been slow. We started to make these calls to do 
something with respect to online behavioral advertising several 
years ago. But since we started making a specific call for do-not- 
track, industry has moved, and there has been significant progress 
on the part of industry. 

I am worried, though, that we might not be able to get all the 
way there because of the way the industry is structured. Adver- 
tisers and ad networks are rather disparate. There are lots of 
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them. And unless we get them to sort of uniformly agree that 
they’re going to participate and honor consumers’ requests, I’m just 
not sure that the self-regulatory mechanism can work. So I’m wor- 
ried about the way that it’s structured right now — the industry is 
structured — as to whether we can get all the way there. 

Senator Ayotte. Thank you very much. 

The Chairman. Thank you very much. 

Before I go to Senator Klobuchar, we have a major problem to 
work out here. There are five votes that are starting at 11:05. I’m 
trying to get them moved to 11:10, which means we could spend 
another 15 minutes here. 

We have another panel. We have Senator Klobuchar. Senator 
Pryor has just walked in. Now, you can decide what you want to 
do. 

My recommendation would be that. Senator Klobuchar, you ask 
your question, because you’ve been here a while. Senator Pryor, 
who is the Subcommittee Chairman is all over this, and he’s ex- 
tremely important. But somebody has to sacrifice. And I think 
what we need to do is let Senator Klobuchar ask her question 
quickly and make sure it’s responded to quickly. Then we call up 
the other panelists. We let them give their testimony, and then we 
submit questions to them in writing, and then all scramble to get 
to the Senate floor to vote on heavens knows what. Is that accept- 
able? 

It’s not to you, and I understand. Is that acceptable? 

STATEMENT OF HON. AMY KLOBUCHAR, 

U.S. SENATOR FROM MINNESOTA 

Senator Klobuchar. Yes, ready to go. 

The Chairman. Go ahead. 

Senator Klobuchar. OK. Well, thank you very much, Mr. Chair- 
man. This issue, of course, can create divides, but I think we all 
know that there’s some line in the sand here. And, for me, you 
know, when you order books on a Kindle and then they come up 
with recommendations of books that are similar to what you or- 
dered, that’s just fine. It’s actually helpful and not harmful. 

But on the other hand, when you hear stories of companies that 
may be compiling what they call “sucker lists” about consumers 
that may be susceptible to different kinds of fraud, that’s a prob- 
lem. And so I appreciate you helping us work through this today. 

One of the things I wanted to ask you about. Commissioner Brill, 
was the Children’s Online Privacy Protection Act and the Unfair 
and Deceptive Conduct Clause. It’s not clear what regulations pro- 
hibit the sharing of user information on mobile phones. For exam- 
ple, if there is an application geared toward adults that has no user 
agreement or stated privacy policy but shares location and other 
mobile information with a third-party advertiser without seeking 
consent from the user, are there any enforcement mechanisms that 
the FTC can use to prosecute the company for misusing the per- 
son’s data? 

Ms. Brill. Are you focused specifically on children 

Senator Klobuchar. Mobile. 

Ms. Brill. — or mobile? 

Senator Klobuchar. No, this is on the mobile. 
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Ms. Brill. So, if a mobile phone right now does not — a mobile — 
an application does not have a privacy policy and is collecting geo- 
location information, that’s your question? Is there something that 
we can do about it? We are, then, as I mentioned a few moments 
ago, in a world where we’re no longer dealing potentially with de- 
ception, because they haven’t said anything that they are then not 
following through on, and we’re rather in the realm of unfairness. 

And in that realm, it really does depend on the facts and cir- 
cumstances. It depends on how they’re using it. We might be able 
to make out an argument that the particular use or the way in 
which geo-location was used would be unfair. There also might be 
an argument that failing to have a disclosure to consumers about 
the way in which geo-location was used, if it harms the consumer, 
would also be unfair. But it’s a tougher test. 

Senator Klobuchar. OK. And then back to the children’s issues, 
under the Children’s Online Privacy Protection Act, companies op- 
erating websites or online services intended for children under 13 
are prohibited from collecting information. And I just wonder if 
there is a practical — and I believe that is a good provision — but is 
there any practical way for the FTC to distinguish between 
websites and online services intended for children that need to 
comply with this law versus applications for adults? 

Mr. Brill. Sure, yes. So the Children’s Online Privacy Protection 
Act applies when you have a website that is either directed at kids 
or where the website knows that it is collecting information about 
kids. And by kids, it’s kids under 13. 

In order to determine whether a website is directed at children, 
we really look at the totality of the circumstances. So we’ll look at 
things like — are there cartoons being used? We’ll look at issues in 
the mobile space. Where is the application being sold, or how is it 
being sold? What part of the app store is it in? Is it in the part 
of the app store that’s designed for kids, or is it in a different part 
of the app store? 

So those are the kinds of factors that we’ll look at to determine 
whether the website or the mobile application is focused on chil- 
dren. In terms of whether or not the general audience website or 
application is collecting information about children, you know, if 
the website actually receives information from a teacher or a par- 
ent that there’s a particular kid involved, obviously, then, they 
know. 

But we also do undercover work, you know. We’ll go online and 
pretend we’re 13 or 12 or 11 and see if the website will collect in- 
formation about us. So there are a number of different ways we can 
figure out what’s happening. 

Senator Klobuchar. OK. One last question to Mr. Kerry. 

I’ve been working on this Cloud Computing bill, as you know. 
And one of the issues here is that we are trading partners inter- 
nationally, and I think we’ve talked about this before in Judici- 
ary — but the need to establish privacy, security, and cross-border 
data flow standards along with working with our allies, do you be- 
lieve it would be prudent to establish a global standard that com- 
panies in all countries would voluntarily subscribe to? 

Mr. Kerry. That’s a direction that we need to 

The Chairman. If you could answer in 30 seconds 
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Mr. Kerry. — move toward, Senator Klobuchar. I mean, one of 
the key tenets of what we’re trying to do is to establish global 
interoperability so that companies can trade, so that data can re- 
side transparently in different locations in the cloud. So to try to 
bring global privacy standards closer together is an important part 
of our support of comprehensive legislation. 

The Chairman. Thank you. We’re now on this rather quickened 
pace. I thank all three of you very much. 

And I want to introduce — Senator Begich, I’ll explain this to you 
on the way to a vote, how you’ve been abused. 

The second panel are Mr. Scott Taylor, Vice President, Chief Pri- 
vacy Officer, Hewlett-Packard; Mr. Stuart Pratt, President and 
CEO, Consumer Data Industry Association; Ms. loana Rusu, Regu- 
latory Counsel, Consumers Union; Mr. Tim Schaaff, President, 
Sony Network Entertainment International; and Mr. Thomas 
Lenard, President and Senior Eellow, Technology Policy Institute. 

And, once again, our purpose here will be in the time remaining 
to us — which is not yet determined, but let’s say it’s 20 minutes at 
the maximum — for all 5 of you to give testimony. That is a chal- 
lenge, but you’re exceptionally bright, well-educated, and advanced 
people, and so you should be able to meet it. 

And we will start with you, Mr. Pratt. 

And, incidentally, the questions will be submitted from the Com- 
mittee members to all of you. 

STATEMENT OF STUART K. PRATT, PRESIDENT AND CEO, 
CONSUMER DATA INDUSTRY ASSOCIATION 

Mr. Pratt. Chairman Rockefeller, members of the Committee, 
thank you for this opportunity to appear before you today. And for 
the record, my name is Stuart Pratt, and I’m the CEO of the Con- 
sumer Data Industry Association. 

The Chairman. We know that. Get right to the point. 

Mr. Pratt. CDIA’s members’ data and technologies protect con- 
sumers and help businesses manage risk. Whether it’s counterter- 
rorism efforts, locating a child who has been kidnapped, preventing 
a violent criminal from taking a job with access to children or the 
elderly, or ensuring the safety and soundness of lending decisions, 
our members’ databases, software, and analytical tools are critical 
to how we manage risk in this country, ensure consumers are 
treated fairly, and how we protect consumers from becoming vic- 
tims for both violent and white-collar crimes. 

Let me just skip some of the examples. Those are in the record. 
And let’s jump to some of the key points. I think that’s where 
you’re driving us here. 

I think this committee has some — a tremendous opportunity be- 
fore it here today. Eirst of all, it can fill an important gap in cur- 
rent law by ensuring that all U.S. businesses which are not already 
subject to data security for sensitive personal information are in 
the future. CDIA is on record in support of enacting national stand- 
ards for securing personal information, and we’re pleased to have 
this opportunity to affirm this position again today. 

Second, Congress can complete the good work of 48 states which 
have enacted data breach notification laws by creating a much- 
needed national standard which ensures consumers are treated in 
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the same way, no matter where they live. Here again, the CDIA 
is happy to support the enactment of such a standard for those who 
possess sensitive personal information and where such information 
has been stolen or lost, the consumer is exposed to a significant 
risk of becoming a victim of identity theft. 

New law regarding data security and data breach notification 
should be designed to align with current laws which are already ro- 
bust and effective. CDIA’s members are financial institutions under 
the Gramm-Leach-Bliley Act and as such, they are already subject 
to an appropriate standard for securing sensitive personal informa- 
tion. It is important that new law not interfere with, alter, or add 
to the requirements of the GLB safeguards rule and the enforce- 
ment guidance that has evolved over a decade of enforcement ac- 
tions, examinations, and regulatory guidance. 

The same principle applies to other sectors of the U.S. economy 
that have already been subject to their data security duties. This 
new law should fill gaps, thus ensuring that all sensitive personal 
information is protected. 

Similarly, where sectors of the U.S. economy are already subject 
to a federal data breach notification standard through law, regula- 
tion, or rules, these sectors should be exempted from having to 
comply with the duties of a new federal standard. Again, the new 
federal standard should fill a gap. 

In the past, bills have tried to eliminate the problems of impos- 
ing duplicative duties. However, these exemptions often fall short 
by using an in-compliance-with construction rather than a subject- 
to construction. Getting these exemptions right is important as the 
new duties for data security and data breach notification are en- 
acted, and we urge the Committee to avoid creating duplicative 
law. 

Congress must also avoid creating a 51st state law. Enacting 
strong and effective duties for securing sensitive personal informa- 
tion and data breach notification is only a success if it creates a 
true national standard for U.S. businesses. This is especially true 
for small businesses. 

Finally, we would urge the Committee to exclude privacy issues 
which are not relevant to data security or data breach notification. 
Privacy and data security are not coterminous concepts. CDIA’s 
members live with a variety of laws that regulate their businesses 
today, including the Fair Credit Reporting Act, the Gramm-Leach- 
Bliley Act, Title V, HIPPA, the Driver’s Privacy Protection Act, and 
more. We urge this committee and the Congress to not comingle 
privacy concepts such as provisions which propose to regulate enti- 
ties defined as information brokers with the duty to secure sen- 
sitive personal information and to provide notices to consumers 
where there has been a breach of their data. 

As discussed more completely in my written testimony, privacy 
issues can even interfere with the development of data which is 
used to prevent fraud, identity theft, and to manage risks like 
those we have discussed. Let’s move on clean data security and 
data breach notification which will inure benefits to consumers by 
establishing a national standard and ensuring that U.S. businesses 
can comply, which is always their highest goal. 

Thank you, Mr. Chairman. 
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[The prepared statement of Mr. Pratt follows:] 

Prepared Statement of Stuart K. Pratt, President and CEO, 
Consumer Data Industry Association 

Chairman Rockefeller, Ranking member Hutchison and members of the Com- 
mittee, thank you for this opportunity to appear before you today. For the record, 
my name is Stuart K. Pratt and I am President and CEO of the Consumer Data 
Industry Association. My testimony will focus on: 

• The importance to consumers of the data systems and analytical tools our mem- 
bers produce. 

• How current laws which regulate our members’ products already protect con- 
sumers. 

• Separating privacy issues from the important work of establishing a national 
standard for securing sensitive personal information and data breach notifica- 
tion. 

• Aligning new law with existing laws. 

• Creating a truly national standard. 

CDIA Members’ Data and Teehnologies Proteet Consumers and Help Us 
Businesses Manage Risk 

Whether it is counterterrorism efforts, locating a child who has been kidnapped, 
preventing a violent criminal from taking a job with access to children or the elder- 
ly, or ensuring the safety and soundness of lending decisions our members’ innova- 
tive databases, software and anal3dical tools are critical to how we manage risk in 
this country, ensure fair treatment and most importantly, how we protect con- 
sumers from becoming victims of both violent and white-collar crimes of all types. 

Following are examples of how our members’ products, software and databases 
bring material value to consumers and our country: 

• Helping public and private sector investigators to prevent money laundering 
and terrorist financing. 

• Ensuring lenders have best-in-class credit reports, credit scoring technologies, 
income verification tools and data on assets for purposes of making safe and 
sound underwriting decisions so that consumers are treated fairly and products 
make sense for them. 

• Bringing transparency to the underlying value of collateralized debt obligations 
and in doing so ensuring our nation’s money supply is adequate which militates 
against the possibility and severity of economic crises. 

• Enforcing child support orders through the use of sophisticated location tools so 
children of single parents have the resources they need. 

• Assisting law enforcement and private agencies which locate missing and ex- 
ploited children through location tools. 

• Researching fugitives, assets held by individuals of interest through the use of 
investigative tools which allow law enforcement agencies tie together disparate 
data on given individuals and thus to most effectively target limited manpower 
resources. 

• Witness location through use of location tools for all types of court proceedings. 

• Reducing government expense through entitlement fraud prevention, eligibility 
determinations, and identity verification. 

• Making available both local and nationwide background screening tools to en- 
sure, for example, that pedophiles don’t gain access to daycare centers or those 
convicted of driving while under the influence do not drive school buses or vans 
for elder care centers. 

• Helping a local charity hospital to find individuals who have chosen to avoid 
paying bills when they have the ability to do so. 

• Producing sophisticated background screening tools for security clearances, in- 
cluding those with national security implications. 

• Improving disaster assistance responses through the use of cross-matched data- 
bases that help first-responders to quickly aid those in need and prevent 
fraudsters from gaming these efforts for personal gain. 

Not only do our members’ technologies and innovation protect us and ensure that 
we are managing risk in this country, but they reduce costs and labor intensity. 
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Risk management is not merely the domain of the largest government agencies or 
corporations it is available to companies of all sizes thanks to our members’ invest- 
ments. Consider the following scenarios: 

Scenario 1 — Effective Use of Limited Resources 

The following example was given during a Department of Homeland Security 
meeting on use of data by the department: “One extremely well-known law en- 
forcement intelligence example from immediately post-9/11 was when there was 
a now well-publicized threat . . . that there might be cells of terrorists training 
for scuba diving underwater bombing, similar to those that trained for 9/11 to 
fly but not land — planes. How does the government best acquire that? The FBI 
applied the standard shoe-leather approach — spent millions of dollars sending 
out every agent in every office in the country to identify certified scuba training 
schools. The alternative could and should have been for the Federal Govern- 
ment to be able to buy that data for a couple of hundred dollars from a commer- 
cial provider, and to use that baseline and law enforcement resources, starting 
with the commercial baseline.” 

Scenario 2 — Lowering Costs / Expanding Access to Best-in-Class Tools 
One commercial database provider charges just $25 for an instant comprehen- 
sive search of multiple criminal record sources, including fugitive files, state 
and county criminal record repositories, proprietary criminal record informa- 
tion, and prison, parole and release files, representing more than 100 million 
criminal records across the United States. In contrast, an in-person, local search 
of one local courthouse for felony and misdemeanor records takes 3 business 
days and costs $16 plus courthouse fees. An in-person search of every county 
courthouse would cost $48,544 (3,034 county governments times $16). Similarly, 
a state sexual offender search costs just $9 and includes states that do not pro- 
vide online registries of sexual offenders. An in-person search of sexual offender 
records in all 50 states would cost $800. 

Scenario 3 — Preventing Identity Theft & Limiting Indebtedness 
A national credit card issuer reports that they approve more than 19 million 
applications for credit every year. In fact they process more than 90,000 applica- 
tions every day, with an approval rate of approximately sixty percent. This cred- 
itor reports that they identify one fraudulent account for every 1,613 applica- 
tions approved. This means that the tools our members provided were pre- 
venting fraud in more than 99.9 percent of the transactions processed. These 
data also tell us that the lender is doing an effective job of approving consumers 
who truly qualify for credit and denying consumers who are overextended and 
should not increase their debt burdens. 

Current Laws Regulating Our Members’ Produets Protect Consumers and 
Are Robust 

The United States is on the forefront of establishing sector-specific and enforce- 
able laws regulating uses of personal information of many types. The list of laws 
is extensive and includes but is not limited to the Fair Credit Reporting Act (15 
U.S.C. 1681 et seq.). The Gramm-Leach-Bliley Act (Pub. L. 106-102, Title V), the 
Health Insurance Portability and Accountability Act (Pub. L. 104.191), and the Driv- 
ers Privacy Protection Act (18 U.S.C. 2721 et seq.). 

Following are more probative descriptions of some of these laws, the rights of con- 
sumers and also the types of products that fall within the scope of the law. 

Fair Credit Reporting Act 

Key to understanding the role of the FCRA is the fact that it regulates any use 
of personal information (whether obtained from a public or private source) defined 
as a consumer report. A consumer report is defined as data which is gathered and 
shared with a third party for a determination of a consumer’s eligibility for enumer- 
ated permissible purposes. This concept of an eligibility test is a key to under- 
standing how FCRA regulates an extraordinarily broad range of personal informa- 
tion uses. The United States has a law which makes clear that any third-party-sup- 
plied data that is used to accept or deny, for example, my application for a govern- 
ment entitlement, employment, credit (e.g., student loans), insurance, and any other 
transaction initiated by the consumer where there is a legitimate business need. 
Again, this law applies equally to governmental uses and not merely to the private 
sector and provides us as consumers with a full complement of rights to protect and 
empower us. Consider the following: 

• The right of access — consumers may request at any time a disclosure of all in- 
formation in their file at the time of the request. This right is enhanced by re- 
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quirements that the cost of such disclosure must be free under a variety of cir- 
cumstances including once per year upon request, where there is suspected 
fraud, where a consumer is unemployed and seeking emplo 3 Tnent, when a con- 
sumer places a fraud alert on his or her file, or where a consumer is receiving 
public assistance and thus would not have the means to pay. Note that the 
right of access is absolute since the term file is defined in the FCRA and it in- 
cludes the base information from which a consumer report is produced. 

• The right of correction — a consumer may dispute any information in the file. 
The right of dispute is absolute and no fee may be charged. 

• The right to know who has seen or reviewed information in the consumer’s 
file — as part of the right of access, a consumer must see all “inquiries” made 
to the file and these inquiries include the trade name of the consumer and upon 
request, a disclosure of contact information, if available, for any inquirer to the 
consumer’s file. 

• The right to deny use of the file except for transactions initiated by the con- 
sumer — consumers have the right to opt out of non-initiated transactions, such 
as a mailed offer for a new credit card. 

• The right to be notified when a consumer report has been used to take an ad- 
verse action. This right ensures that I can act on all of the other rights enumer- 
ated above. 

• Beyond the rights discussed above, with every disclosure of a file, consumers 
receive a notice providing a complete listing all consumer rights. 

• Finally, all such products are regulated for accuracy with a “reasonable proce- 
dures to ensure maximum possible accuracy” standard. Further all sources 
which provide data to consumer reporting agencies must also adhere to a stand- 
ard of accuracy which, as a result of the FACT Act, now includes new rule- 
making powers for federal agencies. 

Gramm-Leach-Bliley Act 

Not all consumer data products are used for eligibility determinations regulated 
by the FCRA. Congress has applied different standards of protection that are appro- 
priate to the use and the sensitivity of the data. We refer to these tools as Ref- 
erence, Verification and Information services or RVI services. RVI services are used 
not only to identify fraud, but also to locate and verify information for the public 
and private sectors. Fraud prevention systems, for example, aren’t regulated under 
FCRA because no decision to approve or deny is made using these data. Annually 
businesses conduct an average more than 2.6 billion searches to check for fraudu- 
lent transactions. As the fraud problem has grown, industry has been forced to in- 
crease the complexity and sophistication of the fraud detection tools they use. While 
fraud detection tools may differ, there are four key models used. 

• Fraud databases — check for possible suspicious elements of customer informa- 
tion. These databases include past identities and records that have been used 
in known frauds, suspect phone numbers or addresses, and records of incon- 
sistent issue dates of SSNs and the given birth years. 

• Identity verification products — crosscheck for consistency in identifying informa- 
tion supplied by the consumer by utilizing other sources of known data about 
the consumer. Identity thieves must change pieces of information in their vic- 
tim’s files to avoid alerting others of their presence. Inconsistencies in name, 
address, or SSN associated with a name raise suspicions of possible fraud. 

• Quantitative fraud prediction models — calculate fraud scores that predict the 
likelihood an application or proposed transaction is fraudulent. The power of 
these models is their ability to assess the cumulative significance of small in- 
consistencies or problems that may appear insignificant in isolation. 

• Identity element approaches — use the analysis of pooled applications and other 
data to detect anomalies in typical business activity to identify potential fraudu- 
lent activity. These tools generally use anonymous consumer information to cre- 
ate macro-models of applications or credit card usage that deviates from normal 
information or spending patterns, as well as a series of applications with a com- 
mon work number or address but under different names, or even the identifica- 
tion and further attention to geographical areas where there are spikes in what 
may be fraudulent activity. 

The largest users of fraud detection tools are financial businesses, accounting for 
approximately 78 percent of all users. However, there are many non-financial busi- 
ness uses for fraud detection tools. Users include: 
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• Governmental agencies — Fraud detection tools are used by the IRS to locate as- 
sets of tax evaders, state agencies to find individuals who owe child support, 
law enforcement to assist in investigations, and by various federal and state 
agencies for employment background checks. 

• Private use — Journalists use fraud detection services to locate sources, attor- 
neys to find witnesses, and individuals use them to do background checks on 
childcare providers. 

CDIA’s members are also the leading location services providers in the United 
States. These products are also not regulated under FCRA since no decision is based 
on the data used. These services, which help users locate individuals, are a key 
business-to-business tool that creates great value for consumers and business alike. 
Locator services depend on a variety of matching elements. Consider the following 
examples of location service uses of a year’s time: 

• There were 5.5 million location searches conducted by child support enforce- 
ment agencies to enforce court orders. For example, the Financial Institution 
Data Match program required by the Personal Responsibility and Work Oppor- 
tunity Reconciliation Act of 1996 (PL 104-193) led to the location of 700,000 de- 
linquent individuals being linked to accounts worth nearly $2.5 billion. 

• There were 378 million location searches used to enforce contractual obligations 
to pay debts. 

• Tens of millions of searches were conducted by pension funds (location of bene- 
ficiaries), lawyers (witness location), blood donors organizations (blood supply 
safety), as well as by organizations focused on missing and exploited children. 

Clearly RVI services bring great benefit to consumers, governmental agencies and 
to businesses of all sizes. Laws such as the Gramm-Leach-Bliley Act and Fair Credit 
Reporting Act are robust, protective of consumer rights, but also drafted to ensure 
that products used to protect consumers, prevent fraud and to locate individuals are 
allowed to operate for the good of consumers and business. 

A National Data Security and Data Breach Notification Standard Is A 
Separate Matter from Privacy 

Let me start by stating unequivocally that CDIA’s supports the creation of a na- 
tional standard for both securing sensitive personal information and notification of 
consumers when there has been a breach of that data. Our position is in agreement 
with the Federal Trade Commission recommendation offered in multiple testimonies 
on the Hill and via their joint Task Force report issued along with the Department 
of Justice. This committee can play a leading role in ensuring that such a standard 
is set. This committee can also ensure that privacy issues are not confused with the 
core consumer protections found in a proposal that focuses on data security and 
breach notification. 

Provisions found in some bills that create national standards for security and no- 
tification also impose accuracy, access and correction standards on a certain type of 
entity defined as an information broker. We believe that provisions such as these 
should be struck because they do not advance the cause of protecting data, and they 
interfere with how other current laws regulate the development of products which 
do protect consumers. Consider the following: 

Products such as those designed for fraud prevention and location are produced 
under laws such as the Gramm-Leach-Bliley Act and Section 5 of the Federal Trade 
Commission Act. The definition of information broker often does not exclude finan- 
cial institutions regulated under GLB. Therefore products developed under the data- 
use limitations found in GLB Title V, Section 502(e) are adversely affected by infor- 
mation broker provisions. 

Neither a product developed for fraud prevention nor location should be subject 
to accuracy, access and correction standards since neither product is used to deny 
or approve an application, etc. If they were designed for the purpose of making deci- 
sions about a consumer’s eligibility, then they would already be regulated under the 
FCRA. Further accuracy, access and correction standards are not relevant to the im- 
portant work of this Committee to establish a national standard for securing sen- 
sitive personal information and notif 3 dng consumers when there is a breach of such 
data. 

Consider the effect of applying an accuracy standard to fraud tools. Ironically 
doing so would lead to interference with the very tools that help protect consumers 
against the risks posed by failures to protect sensitive personal information. Fraud 
prevention tools are built based on data about consumers, data about confirmed 
fraud attempts, data about combinations of accurate and inaccurate data used for 
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fraud attempts and more. Fraud tools are designed to identify transactions or appli- 
cations that are likely to be fraudulent in order to allow the user to take additional 
steps to prevent the crime and still process legitimate transactions. 

Similarly it is wrong to subject fraud prevention tools to an access and correction 
regime. If details of a fraud tool are disclosed it is akin to disclosing the recipe for 
fraud prevention. This result works against a bill which is focused on protecting 
consumers from crime, particularly identity theft. 

As discussed in this testimony, location and investigative research services are 
materially important to how risk is managed. They are not designed to be used for 
decisionmaking and thus are not regulated under the FCRA, which already regu- 
lates all data used for eligibility decisions (including the imposition of accuracy, ac- 
cess and correction rights). Such services are, for example, designed to help a user 
identify possible connections between disparate records and ultimately possible loca- 
tions for the subject of the search. Measuring the quality of the possible connections 
is not akin to an accuracy standard, nor should an accuracy standard be applied 
to “possible matches.” Further, providing access to a database for purposes of error 
correction could affect the quality of the systems since matches are sometimes based 
on combinations of accurate and inaccurate data. 

Accuracy, access and correction duties are best left to future debates about pri- 
vacy, but they have no relevance to data security and breach notification. 

Aligning the Operation of New and Current Law 

As discussed above, by not including privacy issues (information brokers/accuracy/ 
access/correction) in a data security and notification bill, the committee avoids many 
problems with the operation of effective federal laws that are on the books today 
(e.g., FCRA, GLB, HIPAA, DPPA, etc.). Further the committee’s bill should not cre- 
ate overlapping burdens where U.S. companies are already in compliance with a se- 
curity breach notification or security standard for sensitive personal information. 
For example, financial institutions which are subject to the data security standards 
of the Gramm-Leach-Bliley Act and also federal agency guidance regarding data 
breach notification should be fully exempted from the bill. 

The Importance of a National Standard 

Congress should not enact a fifty-first law. A true national standard will benefit 
consumers because they will enjoy the benefits of this standard no matter where 
they live. Such a standard also benefits U.S. businesses of all sizes because they 
can then be successful in the goal they all share and that is to protect consumers’ 
sensitive personal information by building data security into their entire enterprise 
and to notify consumers where there is a significant risk of identity theft. 

Conclusion 

This committee has a number of important opportunities: 

• To fill an important gap in current law by ensuring that all U.S. businesses 
which are not already subject to a data security duty for sensitive personal in- 
formation are in the future. 

• To harmonize the 48 state data breach notification duties and in doing so create 
much needed uniformity. 

• To exclude privacy issues which are not relevant to data security and breach 
notification. 

• To avoid creating law which interferes with the operation of current laws al- 
ready on the books. 

• To create an effective national standard for securing sensitive personal informa- 
tion and data breach notification. 

We thank you again for giving us this opportunity to testify. It is only through 
such dialogue that good laws are enacted. I’m happy to answer any questions. 

The Chairman. Thank you very much. 

Ms. Rusu. 

STATEMENT OF lOANA RUSU, REGULATORY COUNSEL, 
CONSUMERS UNION 

Ms. Rusu. Thank you, Chairman and members of the Com- 
mittee. I’m going to skip over the intro and jump right into it. 
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I think we can all agree that technological advances over the 
past decade have created incredible, fantastic tools for consumers 
to use. However, privacy is still important and relevant today. 
Even in today’s age of extensive sharing, few people would agree 
that every piece of information about them should be available to 
everyone for any conceivable purpose. 

In fact, in a May 2011 Consumer Reports poll, 82 percent of re- 
spondents were concerned that companies may be passing on their 
personal information to third parties without their permission. 
Such consumer distress is a significant barrier to the adoption of 
new technologies, which, in turn, harms commerce and discourages 
innovation. 

Consumers Union supports the privacy and data security bills 
that are the focus of today’s hearing. The Commercial Privacy Bill 
of Rights introduced by Senators Kerry and McCain puts in place 
some standards that would give consumers more control over their 
personal information. The bill’s framework is rooted in a set of fair 
information practice principles, such as timely notice about data 
collection, opt-out requirements, access and accuracy requirements, 
and the principle of privacy by design. 

We support the bill’s focus on sensitive information, including in- 
formation about health and religious affiliation. Companies han- 
dling such information must first get a consumer’s affirmative opt- 
in consent. This provision would protect a young woman suffering 
from bulimia, for example, from having to worry that by joining an 
eating disorders support forum her information will be passed 
along to advertisers, who will market weight loss supplements to 
her at every step. 

We also appreciate the bill’s enforcement power for the FTC and 
state attorneys general. This will increase the likelihood that bad 
actors are caught and punished. 

While the legislation leaves out an important foundation for bet- 
ter privacy practices, we also look forward to strengthening the 
measure so that it provides consumers with even more trans- 
parency and control. For instance, we support providing consumers 
with an opt-out not only for unauthorized use of covered informa- 
tion, but also for its collection. We’d also like to see more authority 
granted to the FTC to modify and update the definitions in the bill. 
In addition, we’re concerned that the expansive language of the 
preemption provision could forestall state laws that seek to protect 
consumers beyond the intended scope of this bill. 

Consumers Union also supports Chairman Rockefeller’s Do-Not- 
Track Online Act as an important and necessary component of con- 
sumer online privacy policy. Public support for a do-not-track op- 
tion is particularly high at this moment. According to the same 
Consumer Reports poll I mentioned before, 81 percent of respond- 
ents agreed that they should be able to permanently opt out of 
Internet tracking. 

Some industry actors have already developed and incorporated 
do-not-track tools directly into browsers. Unfortunately, marketers 
currently can and do ignore consumers’ do-not-track choices. This 
is precisely why Chairman Rockefeller’s bill is a much needed com- 
ponent. Consumers Union believes that the Do-Not-Track Online 
Act and the Commercial Privacy Bill of Rights Act taken together 
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would give consumers strong privacy protections and meaningful 
choice in the way their information is collected and used. 

Protecting consumer privacy, however, also means safeguarding 
data against unauthorized breaches. The Data Security and Breach 
Notification Act will protect consumers by requiring strong data se- 
curity practices, as well as notification in case of breach. The bill 
will also incentivize companies to practice data minimization on 
the front end before a breach occurs and to provide at least 2 years 
of free credit reports. We are particularly pleased with the provi- 
sions that instruct information brokers to maximize the accuracy 
and accessibility of their records and to provide consumers with a 
process to dispute information. 

Consumers Union would prefer that consumers be notified in any 
event of a breach, similar to the strongest state notice of breach 
laws currently in place. However, we can accept giving an exemp- 
tion whenever a company demonstrates no reasonable risk of iden- 
tify theft to the consumer. We urge this committee not to further 
weaken notification requirements. 

Thank you for your time, and I would be happy to answer any 
questions you may have. 

[The prepared statement of Ms. Rusu follows:] 

Prepared Statement of Ioana Rusu, Regulatory Counsel, Consumers Union 

Chairman Rockefeller, Ranking Member Hutchinson and esteemed members of 
the Committee. Thank you for the opportunity to appear before you today to discuss 
privacy and data security issues. My name is Ioana Rusu, and I am Regulatory 
Counsel for Consumers Union, the non-profit publisher of Consumer Reports ® mag- 
azine. 

Privacy in a Rapidly Changing World 

Few can deny just how much the world has changed over the past decade. We 
now research and shop for products without ever leaving our homes. Our phones 
have become mini-computers, allowing us to organize our finances, pay bills, and 
order services on the go, as well as to pinpoint our exact geographical location. So- 
cial networks and online blogs enable us to create virtual lives, to reconnect with 
long-lost friends, and even to organize against oppressive government regimes. By 
transmitting and accessing more information than ever before, we’ve created both 
a vibrant online community and an efficient and convenient Internet marketplace. 
These incredible tools have enriched and enhanced our lives. 

At the same time, however, these same tools have planted some unnerving ques- 
tions in our hearts. For example, will we continue to express ourselves freely on the 
Internet when we know that every click and keystroke is being recorded by un- 
known entities, to be used for unknown purposes? And once we’ve entrusted our 
personal data to a third party, can we be sure it will it be carefully safeguarded? 
It is time for us to answer these questions in a clear and straightforward manner. 
A privacy and data security policy composed of clear, predictable, and comprehen- 
sive rules will enhance consumer trust and encourage innovation. 

The first step toward this goal is our recognition that privacy is still very much 
a relevant and important concept in our world today. Although we live in an age 
of extensive sharing, very few people would agree that every piece of information 
they transmit should be available to everyone, for any conceivable purpose. We 
share information because it facilitates transactions, gives us access to services we 
seek, and allows us to more easily communicate with others. But it is incorrect to 
assume that consumers don’t care about how that information is used and dissemi- 
nated. In fact, in a May 2011 Consumer Reports® poll, 82 percent of respondents 
were concerned that companies they did business with may be passing on their per- 
sonal information to third parties without their permission. Such consumer distrust 
could represent a significant barrier to the adoption of new technologies, which in 
turn harms commerce and discourages innovation. 
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Legislative Solutions for Proteeting Consumer Privacy 

The Commercial Privacy Bill of Rights of 2011 introduced by Senators Kerry and 
McCain seeks to implement some reasonable standards that would give individuals 
more control over who gets access to their personal information and for what pur- 
pose. 

The bill’s framework is firmly rooted in a set of Fair Information Practice Prin- 
ciples (FIPPs) — “rules of the game” that spell out how covered entities should be col- 
lecting, handling, and sharing consumer data. These principles include clear, con- 
cise, and timely notice about data collection practices; opt out requirements for cer- 
tain uses of personal information; access and accuracy requirements; and the prin- 
ciple of “privacy by design,” which requires entities to incorporate privacy protec- 
tions directly into their day-to-day activities, as they develop new products and im- 
plement new technologies. Taken together, the FIPPs create a roadmap for the fair 
and responsible treatment of consumer data online. 

We are pleased that the bill requires companies to offer consumers an opt out 
from unauthorized uses of their information, including the unauthorized transfer of 
information to third parties and the passive collection of information by third par- 
ties on first-party sites. Third-party sharing of information is extremely expansive 
in today’s e-commerce, as tracking technologies allow advertisers to collect vast 
amounts of information about consumers and to aggregate them into personal pro- 
files that are then used to target individuals much more effectively than ever before. 
While some consumers may not mind receiving advertising tailored to their inter- 
ests, others prefer that their behaviors and preferences online remain private. The 
latter group should be able to choose not to have data shared with these unknown 
third parties. 

The bill also recognizes that some types of information are more intimate and 
more easily used for harmful purposes than others. As a result, the bill creates a 
“sensitive information” category, which includes personally identifiable information 
(PII) that could result in physical or economic harm to an individual, or information 
about an individual’s medical condition, medical records, or religious beliefs. If com- 
panies wish to collect, use, or share sensitive information, they must obtain the indi- 
vidual’s affirmative opt-in consent. We strongly agree with this provision. A young 
woman suffering from bulimia should never worry that when she joins an eating 
disorder support forum, her information will be passed along to companies who will 
market weight loss supplements to her at every step, constantly reminding her of 
her obsession with her weight. She also should never have to worry that information 
about her condition will be sold to her insurance company, who will then raise her 
rates. Such uses of sensitive information are unexpected and unfair, and should not 
be permitted without the consumer’s informed consent. 

In addition, we are pleased that the bill requires entities to engage in data mini- 
mization by not collecting more data than is needed, and by only retaining collected 
data for a limited amount of time. Consumers Union believes that the traditional 
notice-and-choice approach to privacy has not done enough to allay consumers’ con- 
cerns. This approach has resulted in lengthy privacy policies, filled with legalese, 
that consumers must “agree to” in order to access a website or receive a service. 
As a result. Consumers Union supports the implementation of substantive privacy 
principles, such as data minimization and data retention limits, which do not rely 
solely on consumer participation to function. These principles require companies to 
carry out an honest assessment of their own data practices, and to collect and retain 
only information necessary to the operation of their business. It is also important 
to note that rich repositories of information within indefinite retention periods tend 
to be prime targets for hackers and can expose extensive amounts of information 
in case of a data breach. Fewer privacy concerns will arise if only necessary data 
is collected and stored for a limited amount of time. 

The bill grants enforcement power to both the Federal Trade Commission and 
state attorneys general (AGs) — a crucial provision that will increase the likelihood 
that bad actors are caught and punished. The enforcement provisions of the bill are 
crucial elements of this privacy framework, and emphasize the fact that any com- 
prehensive privacy standards must be backed up by the force of law. The reason 
why industry self-regulation initiatives have largely failed to address this problem 
so far is that companies choose to voluntarily participate, and are held accountable 
insofar as they violate the stated terms in their own privacy policies. Under the pro- 
posed framework, all covered entities would be required to comply or risk enforce- 
ment action by either FTC or state AGs. 

As discussed above, the Commercial Privacy Bill of Rights of 2011 lays out an im- 
portant foundation for better privacy practices which Consumers Union supports. At 
the same time, we look forward to working toward strengthening the measure so 
that it provides consumers with even more transparency and control. 
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First of all, we support providing consumers with an opt-out not only for the un- 
authorized use of covered information, hut also for its collection. Companies should 
not he permitted to amass vast quantities of information about individuals’ behav- 
iors and interests, without at least giving those individuals some notice and oppor- 
tunity to opt out. 

Second, we believe the bill could be strengthened by extending the definition of 
“sensitive information” to also include information directly tied to unique identifiers, 
not just to PII. As the FTC noted in its recent staff report, the distinctions between 
PII and non-PII are becoming increasingly irrelevant. A consumer’s behavioral pro- 
file is not “anonymous” simply because it is not tied to his name or address; it is 
sufficient that it is tied to his particular device. Companies could use that informa- 
tion to treat consumers unfairly, even without access to their PII. For example, if 
a website does not know my name, but knows that, based on my browsing habits, 
I am a user with a taste for luxury goods, it could presumably show me different 
offers, at different prices, than it would for another user. This may result in eco- 
nomic harm to me. 

In addition, re-identification methods today allow companies to aggregate many 
pieces of “anonymous” consumer information into profiles that can then be linked 
to actual persons. While the bill does include a provision prohibiting re-identifica- 
tion by third parties — a provision that we support — we believe this same prohibition 
should also apply to first parties who claim to collect only anonymous information 
from consumers. Such first parties should also be prohibited from re-identifying the 
consumers to whom the data applies. We are pleased to see heightened protections 
for sensitive information, but would like to see the definition of “sensitive informa- 
tion” expanded to address the ways in which online behavioral tracking is currently 
being carried out: though unique identifiers tied to individual devices. 

Third, we wish to see more authority granted to the Federal Trade Commission 
to modify and update the definitions in the bill. As industry never fails to point out, 
this is a rapidly changing and emerging field, with new developments springing up 
almost on a daily basis. The FTC should have flexibility to address these new issues 
as they arise. 

Also, the expansive language of the pre-emption provision could forestall any state 
laws that “relate to” covered entities’ collection, use or disclosure of covered informa- 
tion. Although some pre-emption may be necessary to ensure uniformity in privacy 
practices across state lines, states should be given leeway to come up with innova- 
tive ways of protecting consumers while also supporting technological innovation. 
We would recommend that the pre-emption provision in the bill, at most, cover any 
state laws that “expressly” require covered entities to implement requirements with 
respect to the collection, use or disclosure of covered information. Although still pre- 
emptive, this language would be more narrowly tailored and may still allow state 
action in areas not covered by the bill. 

While we believe the Commercial Privacy Bill of Rights Act will provide con- 
sumers with meaningful choice over how their personal information is collected, 
transferred, and used, our organization has long supported giving consumers the 
possibility to opt out of online tracking. That is why Consumers Union also strongly 
supports Chairman Rockefeller’s Do-Not-Track Online Act of 2011 as an important 
and necessary component of consumer online privacy policy. 

The bill would lend the force of law to industry’s self-regulatory efforts by requir- 
ing that when a consumer using a Do-Not-Track (DNT) tool expresses a preference 
to not be tracked online, companies must respect that choice. The Federal Trade 
Commission would have authority to establish standards for the implementation of 
such DNT tools, taking into consideration the appropriate scope of such mecha- 
nisms, technical feasibility, and cost. In addition, the hill gives both FTC and state 
AGs authority to enforce the statute and ensuing regulations, and to seek civil pen- 
alties and damages from bad actors. 

Public support for a DNT option is particularly high at the moment. According 
to the same Consumer Reports® poll mentioned above, 81 percent of respondents 
agreed that they should be able to permanently opt out of Internet tracking. In ad- 
dition, the FTC endorsed this idea in its most recent report, and we are pleased that 
some industry actors have already developed and incorporated DNT tools directly 
into browsers. Despite the emergence of such consumer-friendly tools, however, mar- 
keters currently can and do ignore consumers’ DNT choices. This is precisely why 
Chairman Rockefeller’s bill is a much-needed component in today’s privacy discus- 
sion. 

Consumers Union believes that the Do-Not-Track Online Act and the Commercial 
Privacy Bill of Rights Act, taken together, would give consumers strong privacy pro- 
tections and meaningful choice in the way their information is collected and used 
online. 
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Protecting Consumers’ Data from Breaches 

Protecting consumer privacy extends beyond giving consumers control over how 
their information is used and shared. Any comprehensive, standardized privacy pol- 
icy must also address how collected information is stored and safeguarded, and what 
protections each consumer should enjoy in the unfortunate event of a data breach. 

Last month, Sony’s PlayStation network faced numerous attacks that resulted in 
the theft of over 100 million personal records, according to Privacy Rights Clearing- 
house. And in April, the e-mail database of marketing company Epsilon was hacked 
and an unknown number of consumer names and e-mail addresses were stolen. Be- 
cause Epsilon sends out more than 40 hillion marketing e-mails annually, the poten- 
tial breadth of this breach could render it the biggest of its kind in U.S. history. 

The ubiquity of security breach incidents today renders the Data Security and 
Breach Notification Act of 2011, introduced by Senator Pryor and Chairman Rocke- 
feller, particularly timely and relevant. Consumers Union believes this bill will pro- 
tect consumers by mandating strong data security practices for all covered entities, 
as well as notification in case of breach. The hill will also hopefully incentivize cov- 
ered entities to engage in data minimization practices on the front end, before a 
breach occurs. 

The Data Security and Breach Notification Act first directs the Federal Trade 
Commission to promulgate regulations that would lay out how covered entities must 
maintain and protect personal information. These regulations would encourage com- 
panies to assess vulnerabilities and anticipate reasonably foreseeable attacks, in 
order to address those issues and prevent a breach. 

If a security breach nevertheless does occur, the bill would require covered enti- 
ties to provide timely notice of security breach to affected consumers and at least 
2 years of free credit reports or credit monitoring. Consumers Union supports these 
provisions. If consumers do not know their data has been compromised, they cannot 
take steps to protect themselves. We also do not believe that consumers should have 
to bear the costs when personal information that they entrusted to a company is 
lost. 

Although Consumers Union would prefer that consumers receive notification 
whenever their personal information is compromised, if there is to be a standard 
for risk, then Consumers Union would prefer the approach taken by this bill, where 
the risk is considered as an exemption rather than as an affirmative trigger. Under 
an “exemption” approach, a company with a security breach has to qualify for the 
exemption by showing that there is no reasonable risk of harm. Insufficient informa- 
tion about the level of risk does not eliminate the obligation to tell consumers about 
the breach. We would like to note, however, that the strongest state notice of breach 
laws do not require a finding of risk before mandating consumer notification. 

We are particularly pleased that the bill focuses on the activities of information 
brokers, defined as commercial entities whose business is to collect, assemble, or 
maintain personal information concerning individuals with the purpose of selling 
such information to unaffiliated third parties. We strongly support the provisions in- 
structing information brokers to maximize the accuracy and accessibility of their 
records, as well as to provide consumers with a process to dispute information. In 
addition, the provisions requiring information brokers to submit their security poli- 
cies to the FTC, as well to undergo potential FTC post-breach audits, will foster ac- 
countability and enforcement of this bill. 

This bill arms state officials with strong enforcement tools to ensure compliance 
with the law. Consumers Union agrees that state attorneys general and other offi- 
cials or agencies of the State should have the authority to bring enforcement actions 
against any entity that engages in conduct violating the hill. State attorneys general 
have been at the forefront of notice of data breach issues and have played an invalu- 
able role in addressing identity theft and data breach. Consumers’ personal informa- 
tion will be better protected because of these enforcement tools. 

Consumers Union believes that the Data Security and Breach Notification Act 
would encourage companies to act proactively to prevent against data breaches and 
to quickly address any breaches that may occur. At the same time, we look forward 
to working toward strengthening a couple of the provisions in the bill. 

First, we are concerned that companies conducting risk assessments may not al- 
ways evaluate the facts in a fair and truthful manner, in order to avoid costly notice 
requirements. As a result, we would suggest that companies be required to either 
submit the results of their self-assessments to the FTC and state AGs, or, alter- 
natively, to maintain a copy of those results for a defined period of time and make 
them available to the authorities upon request. A faulty self-assessment that clearly 
ignores potential risks should be treated as a violation of the statute. 

We also hope that the 60-day window for providing notification will be narrowed. 
The sooner consumers are made aware of a breach, the quicker they can take reme- 
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dial action. In addition, we are concerned that some credit monitoring companies 
are automatically billing consumers after the mandatory two free years of moni- 
toring have ended. Consumers should affirmatively consent to any additional moni- 
toring beyond the 2 years provided by the company. 

Closing 

In closing, we urge you to continue the conversation on the important topics of 
data privacy and security. While these three bills put in place important protections 
for consumer data, both online and offline, we encourage you to also consider adding 
additional protections for kids and adolescents. Teens between the ages of 13 and 
17, in particular, make up a large portion of Internet users today. At the same time, 
they are more vulnerable to inappropriate uses of their personal information online. 
We hope you will develop some heightened standards to address the privacy of these 
sensitive users. 

Consumers Union looks forward to working with you as these three bills move for- 
ward. Consumers are looking to you to enact standardized, mandatory and enforce- 
able rules of the road that companies must follow when handling user data. We 
firmly believe that implementing these baseline principles will enhance consumer 
trust in the marketplace and encourage businesses to grow and innovate with con- 
fidence. Thank you for your time, and I would be happy to answer any questions 
you may have. 

The Chairman. Thank you. 

Mr. Schaaff? 

Incidentally, I want to apologize to everyone about this travesty 
of scheduling. It’s not fair to you. It’s not fair to us. It’s not fair 
to the subject. People were lined all the way down to the basement 
to get into this hearing. And we’re all being short-changed because 
of votes. 

We usually make one vote a day. It’s usually on a judge. For 
some reason, now, we’re going to have five votes, and it’s all quite 
incomprehensible and totally unfair to everybody in this room. 

Please proceed, sir. 

STATEMENT OF TIM SCHAAFF, PRESIDENT, 

SONY NETWORK ENTERTAINMENT INTERNATIONAL 

Mr. Schaaff. Thank you. Chairman Rockefeller and other distin- 
guished members of the Committee. Thank you for this oppor- 
tunity. 

My name is Tim Schaaff, and I’m President of Sony Network En- 
tertainment, a subsidiary of Sony Corporation based in California, 
where we employ approximately 700 people in five offices around 
the state. I’m chiefly responsible for the business and technical as- 
pects of Sony’s PlayStation Network and Curiosity, online services 
that allow consumers to access movies, television shows, music, 
and video games. 

Sony Network Entertainment, Sony Online Entertainment, and 
millions of our customers were recently the victims of an increas- 
ingly common digital age crime, a cyber attack. Regarding the at- 
tack on Sony, initially anonymous, the underground group associ- 
ated with last year’s Wikileaks-related cyber attacks openly called 
for and carried out massive denial of service attacks against nu- 
merous Sony Internet sites in retaliation for Sony bringing an ac- 
tion in federal court to protect its intellectual property. During or 
shortly after those attacks, one or more highly-skilled hackers infil- 
trated the servers of the PlayStation Network and Sony Online En- 
tertainment. 

Sony Network Entertainment and Sony Online Entertainment 
have always made concerted and substantial efforts to maintain 
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and improve the data security systems that we utilize. We hired re- 
spected and experienced cyber security firms to enhance our de- 
fenses against the denial of service attacks threatened by anony- 
mous. But, unfortunately, no entity can foresee every potential 
cyber security threat. 

We have detailed for the Committee in our written testimony the 
time line from when we first discovered the breach, so I will not 
cover those details here today. However, throughout this time, we 
felt a keen sense of responsibility to our consumers. We shut down 
the networks to protect against further unauthorized activity. We 
notified our customers promptly when we had specific, accurate, 
and useful information. 

We thanked our customers for their patience and loyalty and ad- 
dressed their concerns arising from this breach with free identity 
theft protection and insurance programs for U.S. and other cus- 
tomers, as well as a welcome-back package of extended and free 
subscriptions, games, and other services. And we worked to restore 
our networks with stronger security to protect our customers’ inter- 
ests. 

Let me address one of the specific issues you are considering 
today, notification of consumers when data breaches occur. Laws 
and common sense provide for companies to investigate breaches, 
gather the facts, and then report data losses publicly. If you re- 
verse that order, issuing vague or speculative statements before 
you have specific and reliable information, you either send false 
alarms or so many alarms that these warnings will be ignored. 

We, therefore, support balanced federal data breach legislation 
and look forward to working with the Committee on the particulars 
of the bill. By working together to enact meaningful cyber security 
legislation, we can limit the threat posed to all. And by simulta- 
neously moving forward on data breach policies and legislation, we 
can ensure that consumers are empowered with the necessary in- 
formation and tools to protect themselves from these cyber crimi- 
nals. 

Thank you very much. 

[The prepared statement of Mr. Schaaff follows:] 

Prepared Statement of Tim Schaaff, President, 

Sony Network Entertainment International 

Chairman Rockefeller, Ranking Member Hutchison, and other distinguished mem- 
bers of the Committee, thank you for providing Sony with this opportunity to testify 
on cyber crime and data security. 

My name is Tim Schaaff, and I am President of Sony Network Entertainment 
International, a subsidiary of Sony Corporation. 

I am chiefly responsible for the business and technical aspects of Sony’s 
PlayStation Network and Qriocity, online services that allow consumers to access 
movies, television shows, music and video games. 

As you know, this year, Sony has been one of a growing number of targets of an 
increasingly common digital-age crime: a cyber attack. 

Almost evepf day it seems a new story emerges about businesses, government en- 
tities, public institutions and individuals becoming victims of this cyber crime wave; 
thus, supporting President Obama’s statement noting that these cyber attacks are 
“one of the most serious economic and national security threats our Nation faces.” 
This warning was recently echoed by Defense Secretary Gates, “[tjhere is a huge 
future threat and there is a considerable current threat [from cyber attacks]. That’s 
just a reality we all face.” 

If nothing else, perhaps the frequency, audacity and harmfulness of these attacks 
will help encourage Congress to enact new legislation to make the Internet a safer 
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place for everyone to learn, enjoy entertainment and engage in commerce. We ap- 
plaud this committee for its work on the issue, and we stand ready to assist you 
in whatever way we can. 

Regarding the attack on Sony, please let me briefly provide some details, Initially, 
Anonymous, the underground group associated with last year’s WikiLeaks-related 
cyber attacks, openly called for and carried out massive “denial-of-service” attacks 
against numerous Sony Internet sites in retaliation for Sony bringing an action in 
federal court to protect its intellectual property. 

During or shortly after those attacks, one or more highly-skilled hackers infil- 
trated the servers of the PlayStation Network and Sony Online Entertainment. 

Sony Network Entertainment and Sony Online Entertainment have always made 
concerted and substantial efforts to maintain and improve their data security sys- 
tems. A well-respected and experienced cyber-security firm was retained to enhance 
our defenses against the denial-of-service attacks threatened by Anonymous. But 
unfortunately no entity — be it a mom-and-pop business, a multinational corporation, 
or the Federal Government — can foresee every potential cyber-security threat. 

On Tuesday, April 19, 2011, our network team discovered unplanned and unusual 
activity taking place on four of the many servers that comprise the PlayStation Net- 
work. The network team took those four servers off line and an internal assessment 
began. 

On Wednesday, April 20, we mobilized a larger internal team to assist in the in- 
vestigation. And on that date, the team discovered the first credible indications that 
an intruder had been in the PlayStation Network system. We immediately shut 
down all of the PlayStation Network services in order to prevent additional unau- 
thorized activity. 

That same afternoon, a security firm was retained to “mirror” the servers to en- 
able a forensic analysis. The scope and complexity of the investigation grew substan- 
tially as additional evidence about the attack developed. 

On Thursday, April 21, a second recognized firm was retained to assist in the in- 
vestigation. 

On Friday, April 22, we notified PlayStation Network customers via a post on the 
PlayStation Blog that an intrusion had occurred. 

By the evening of Saturday, April 23, we were able to confirm that intruders had 
used very sophisticated and aggressive techniques to obtain unauthorized access to 
the servers and hide their presence from the system administrators. 

On Sunday, April 24, yet another forensic team with highly specialized skills was 
retained to help determine the scope of the intrusion. 

By Monday, April 25, we were able to confirm the scope of the personal data that 
we believed had been accessed. Although there was no evidence credit card informa- 
tion was accessed, we could not rule out the possibility. 

The very next day — Tuesday, April 26, we issued a public notice that we believed 
the personal information of our customers had been taken and that, while there was 
no — and there still is no — evidence that credit card data was taken, we could not 
rule out the possibility. We also posted this on our blog and began to e-mail each 
of our account holders directly. 

On Sunday, May 1, Sony Online Entertainment, a multiplayer, online video game 
network, discovered that data may have been taken. On Monday, May 2, Sony On- 
line Entertainment shut down this service and notified customers that their per- 
sonal information may have been compromised. 

Throughout this time, we felt a keen sense of responsibility to our customers: 

• We shut down the networks to protect against further unauthorized activity; 

• We notified our customers promptly when we had specific, accurate and useful 
information; 

• We thanked our customers for their patience and loyalty and addressed their 
concerns arising from this breach with identity theft protection programs — at no 
cost to consumers — for U.S. and other customers (where available) and a “Wel- 
come Back” package of extended and free subscriptions, games and other serv- 
ices; and 

• We worked to restore our networks with stronger security to protect our cus- 
tomers’ interests. 

We have relaunched our networks, with stronger security protections in place, and 
we are pleased that our customers have been very loyal and excited about returning 
to them. In fact, our PlayStation Network activity level is already up to more than 
90 percent of what it was before the attack. And sales of our PS3’s are up double- 
digits this year. 
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Two final points. First, as frustrating as the loss of the network for pla 3 dng games 
was for our customers, the consequences of cyber attacks against financial or de- 
fense institutions could be devastating for our economy and security. Consider the 
fact that defense contractor Lockheed Martin and the Oak Ridge National Labora- 
tory, which helps the Department of Energy secure the nation’s electric grid, were 
cyber attacked within the past several months. Even the CIA, the FBI and the U.S. 
Senate have recently experienced such attacks. 

Second, we support federal data breach legislation that would: (1) provide con- 
sumers — regardless of what state they live in — the assurance that if and when their 
personal data is compromised, they will receive timely, meaningful, and accurate no- 
tice of this fact; (2) ensure that consumers receive helpful information on what 
measures they can take to mitigate any potential harm, including free credit report- 
ing in cases in which such a service is warranted; and (3) treat all similarly situated 
companies that possess personal information equally. 

By working together to enact meaningful cyber-security legislation, we can limit 
the threat posed to us all. We look forward to working with you to ensure that con- 
sumers, businesses and governments are empowered with the information and tools 
they need to protect themselves from cyber criminals. We are willing and eager to 
help provide law enforcement with the laws and resources they need to prevent 
cyber crime from occurring and bring cyber criminals to justice when prevention 
fails. And by simultaneously moving forward on data breach policies and legislation, 
we can ensure that consumers are empowered with the necessary information and 
tools to protect themselves from these cyber criminals. 

Thank you. 

The Chairman. Thank you, Mr. Schaaff. 

Mr. Lenard. 

STATEMENT OF THOMAS M. LENARD, Ph.D., PRESIDENT AND 
SENIOR FELLOW, TECHNOLOGY POLICY INSTITUTE 

Mr. Lenard. Thank you, Chairman Rockefeller and members of 
the Committee. I appreciate the opportunity to testify today. 

I’d like to stress two points in my testimony: first, the impor- 
tance of having reliable data and analysis for policymaking in this 
area; and, second, that privacy and security are different things 
and, therefore, should be dealt with separately. The privacy debate 
has engendered strong opinions but relatively little data or anal- 
ysis. In order to make informed decisions, policymakers need to 
have facts about the practices prevalent in the marketplace. To my 
knowledge, the most recent systematic data on commercial website 
privacy practices are from 2001. 

In addition to basic data, the benefits and costs of policy pro- 
posals need to be evaluated to ensure that they improve consumer 
welfare. For example, some proposals are likely to reduce the value 
of the Internet as an advertising medium both for firms and con- 
sumers and in the process reduce the revenue available to support 
content enjoyed by all Internet users. The principal purpose of cost- 
benefit analysis is to make these trade-offs explicit. 

Some proposals also may not produce the intended results. For 
example, the idea for a do-not-track mechanism comes from the 
telemarketing Do-Not-Call list which has been very popular. But 
the effects may be quite different. The Do-Not-Call list reduces un- 
wanted marketing solicitations. The do-not-track mechanism could 
have the opposite effect with consumers receiving a greater number 
of ads that are less well targeted to their interests. 

The Chairman. Could you repeat that sentence? 

Mr. Lenard. A do-not-track mechanism could have the opposite 
effect with consumers receiving a greater number of ads that are 
less well targeted to their interests. 
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The Chairman. OK. 

Mr. Lenard. Security presents different issues than privacy. Peo- 
ple may be quite comfortable with the intended uses of their infor- 
mation but worried about unintended uses and want their informa- 
tion to be secure. Identity theft is perhaps their primary security 
concern, although the most recent data show that total identity 
fraud in 2010 was at its lowest level in 8 years. 

Regulating the collection and use of information by legitimate 
firms does little or nothing to deter identity theft. And, in fact, ex- 
cessive control of information may increase the risk of identity 
theft by making it more difficult for sellers to determine if a poten- 
tial buyer is fraudulent. There are two general responses to data 
breaches and related fraud: improved security to reduce the likeli- 
hood that such events will happen, and notification of the victims 
in the event that they do happen. Both are addressed in current 
legislative proposals. 

Data breaches and identity frauds are extremely costly to the 
firms involved, which gives companies a very strong incentive to 
spend money on data security. It’s, therefore, unclear that govern- 
ment action in this area is warranted. Incentives for notification 
may be less strong, and whether a regulatory notification require- 
ment would make people better off is, therefore, an empirical ques- 
tion. One thing to be concerned about is that if consumers receive 
more notices, they may become afraid to do business online. This 
would be an unfortunate response because online commerce is safer 
than offline commerce. 

Perhaps the most significant benefit of federal data security and 
breach notification legislation would be preempting the patchwork 
of state laws. For that reason, enacting a carefully crafted federal 
bill could yield savings for firms and consumers. 

The privacy and data security debates are extremely important 
to the future of the digital economy and of innovation in the United 
States. But, unfortunately, they are taking place largely in an em- 
pirical vacuum. Without substantially better data and analysis, 
there’s no way of knowing with any confidence whether proposals 
currently under consideration will improve consumer welfare or 
not. 

Thank you. 

[The prepared statement of Mr. Lenard follows:] 

Prepared Statement of Thomas M. Lenard, Ph.D.,* President and Senior 
Fellow, Technology Policy Institute 

Chairman Rockefeller, Ranking Member Hutchison, and members of the Com- 
mittee: My name is Thomas Lenard and I am President and Senior Fellow at the 
Technology Policy Institute, a non-profit, non-partisan think tank that focuses on 
the economics of innovation, technological change, and related regulation in the 
United States and around the world. I appreciate the opportunity to testify before 
you today on privacy and data security. These issues are critically important for in- 
novation in the digital economy, which relies on the flow of large amounts of infor- 
mation. 

I would like to stress two points in my testimony: first, the importance of having 
reliable data and analysis for good policymaking in this area; and, second, that pri- 
vacy and security are different and therefore should be dealt with separately. 


*The views expressed here are my own and do not necessarily reflect the views of TPI, its 
board, or its staff. 
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Privacy 

The privacy debate has engendered strong opinions, but relatively little data or 
analysis. In some respects, we had better data for policymaking 10 years ago than 
we do now. In 2001, when the last of a series of four studies by researchers at the 
FTC and elsewhere was completed, we at least had baseline data on the privacy 
practices of commercial websites. During the period covered by the studies, the pri- 
vacy practices of commercial websites generally improved. However, to my knowl- 
edge there has been no systematic study since 2001, so no one knows what commer- 
cial website practices are today and whether they are better or worse than they 
were a decade ago. Policymakers can’t make informed policy decisions without facts 
about the practices prevalent in the marketplace. 

In addition to basic data, the benefits and costs of alternative privacy regimes (in- 
cluding the status quo) need to be carefully analyzed in order to identify the policies 
that will best serve the interests of consumers. The commercial use of information 
online produces a range of benefits, including advertising targeted to consumers’ in- 
terests; advertising-supported services and content, such as free e-mail and search 
engines; and fraud detection and reduction in other threats, such as malware and 
phishing. More privacy means less information available for the marketplace and, 
therefore, potentially fewer benefits for consumers. Indeed, most privacy proposals 
are designed to make it easier for consumers to limit the amount of information 
firms collect and retain. The principal purpose of cost-benefit analysis is to make 
the tradeoffs inherent in greater privacy protection explicit and evaluate them. 

On the cost side, a recent study found that the European Privacy Directive re- 
duced the effectiveness of online advertising by about 65 percent. In other words, 
privacy protections make advertising less useful to consumers and, therefore, less 
valuable to advertisers. Advertisers will pay less for less-effective ads, which re- 
duces the resources available to support online content. The authors found this was 
particularly so for more general (less product-specific) websites, such as newspapers. 

Although only a few empirical studies of the costs of privacy regulation exist, even 
less information is available on the benefits. The benefits of privacy are the reduced 
harms associated with information being available or misused, if it is difficult to 
show harm from current practices — and thus far it has been — then it is also difficult 
to demonstrate that increased privacy regulation will produce benefits. We do know 
that people routinely give up some information about themselves in return for ac- 
cess to content and other services, such as e-mail and online news subscriptions, 
and more useful advertising. This suggests that consumers are willing to give up 
some privacy for the value they receive. 

The benefits and costs of specific proposals, such as a Do-Not-Track mechanism 
should be evaluated to make sure they improve consumer welfare. Some people may 
use a Do-Not-Track mechanism because they derive utility simply from knowing 
they are not being tracked. These potential benefits need to be weighed against the 
costs, which include the direct costs of implementation as well as the indirect costs 
in terms of the quantity and quality of services and content on the Internet. Many 
of these costs would be borne not only by Do-Not-Track participants but by other 
users as well. A Do-Not-Track mechanism (depending on how many people used it) 
could reduce the value of the Internet as an advertising medium, and therefore the 
revenues available to support content for all Internet users. A Do-Not-Track mecha- 
nism could also affect the quality of major Internet services, such as search engines, 
which use data on search histories to update and improve their algorithms, and to 
protect against threats such as search spam, click-fraud, malware and phishing. The 
fewer data available to search engines, the less well they will perform. In sum, the 
information generated by online tracking generates positive externalities that sup- 
port the services that eve^one uses. Consumers who opted for a Do-Not-Track 
mechanism might be free-riding off those consumers who allowed their data to be 
used.i 

The idea for a Do-Not-Track mechanism comes from the telemarketing Do-Not- 
Call List, which has been very popular. But the similarities between the two end 
at their names. People sign up for the Do-Not-Call List in order to reduce unwanted 
marketing solicitations. A Do-Not-Track mechanism would likely have the opposite 
effect. Consumers might receive a greater number of ads that are less-well targeted 
to their interests. This cost should also be taken into account. Several easily avail- 
able tools let consumers block ads on the Internet, but a Do-Not-Track mechanism 
is unlikely to be one of them. 


iThis is in contrast to the Do-Not-Call List. Signing up for the Do-Not-Call List would not 
appear to impose costs on other consumers. 
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The three major browser providers — Google, Microsoft, and Mozilla — have an- 
nounced that their products will include Do-Not-Track mechanisms. It is unclear 
whether this is a response to demands from consumers or to the specter of regu- 
latory intervention. In any event, these “market” solutions should be permitted to 
develop without any additional pressure or requirements from the government. 

Data Security 

With respect to data security, the most recent survey from Javelin Strategy and 
Research found that total identity fraud in 2010 was at its lowest level in 8 years. 
While all types of fraud declined, and average costs per victim declined, mean con- 
sumer out-of-pocket costs increased, in part due to an increase in “friendly fraud” — 
fraud perpetrated by people known to the victim, such as a relative or a roommate. 

Security presents a different set of issues than privacy. People may be comfortable 
with the intended uses of their data, but are worried about unintended uses and 
want their data to be secure. Identity theft — which involves the loss of personal data 
that poses a financial threat (such as a credit card number) — is perhaps the primary 
security concern of individuals. Regulating the collection and use of information by 
legitimate firms does not appear to make it more difficult for criminals to access 
information such as credit card numbers and, therefore, does little or nothing to 
deter identity theft. In fact, excessive control of information may increase the risk 
of identity theft by making it more difficult for sellers to determine if a potential 
buyer is fraudulent or not. Moreover, anything that encourages individuals to shift 
transactions offline is likely to be counter-productive. 

There are two general responses to data breaches and related fraud — improved se- 
curity to reduce the likelihood that such events will happen, and notification of the 
victims in the event that they do happen. Both of these are addressed in the data 
security bills being considered by Congress. 

Substantial evidence suggests that data breaches, identity theft and related 
frauds are very costly to the firms involved. The FTC, in a 2003 study, found that 
the costs of identity theft to businesses were about 10 times the costs to individuals. 
Credit card issuers and merchants are typically liable for the costs of fraudulent 
charges — a form of insurance provided to credit card holders. The costs to firms are 
reflected in the significant stock market losses they suffer when victimized by secu- 
rity breaches. Thus, companies have a strong incentive to spend money on data se- 
curity and it is unclear that government action in this area is warranted. 

Incentives for notification may be less strong. However, whether a regulatory noti- 
fication requirement would make people better off is an empirical question. Are the 
expected benefits greater than the expected costs? This is a complicated question 
but several factors affect how we should view notification requirements: 

First, even when consumers receive notice of a security breach, most of them 
do nothing about it. This lack of action is probably a rational response because 
even when data are compromised, the probability of identity theft is extremely 
small and actions like placing fraud alerts or closing accounts are not costless. 
Moreover, the costs of most instances of identity theft — i.e., credit card fraud — 
are incurred by firms and not individuals. 

Second, we don’t have good information about the range of consumer responses 
to notification. If consumers receive more notices, they may simply become in- 
different to them. Or, they may become afraid to do business online. This would 
be a costly over-reaction because online commerce is safer than offline com- 
merce. Indeed, one of Javelin’s principal recommendations in its annual reports 
is that consumers should move their transactions online. 

Because of these factors, a notification mandate should carefully target those indi- 
viduals most at risk of identity fraud in order to increase its potential benefits. 

Perhaps the most significant benefit of federal data security and breach notifica- 
tion legislation would be preempting the patchwork of state laws. Since most compa- 
nies operate nationally, a state-by-state approach is unlikely to work well. For that 
reason, enacting a carefully crafted federal bill could yield savings for firms and con- 
sumers. 

Conclusion 

The privacy and data security debates are extremely important to the future of 
the digital economy and of innovation in the United States. Unfortunately, they are 
taking place largely in an empirical vacuum. Without substantially better data and 
analysis, there is no way of knowing with any confidence whether proposals cur- 
rently under consideration will improve consumer welfare. 

The Chairman. Thank you very much. 
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Mr. Taylor. 

STATEMENT OF SCOTT TAYLOR, CHIEF PRIVACY OFFICER, 
HEWLETT-PACKARD COMPANY 

Mr. Taylor. Chairman Rockefeller, members of the Committee, 
HP commends the Committee on its forward-looking approaches to 
balancing consumer privacy interests with the business realities of 
an Internet-based economy. I’d like to talk today about technology, 
trust, and privacy and how they converge to create new opportuni- 
ties but also a set of challenges. 

We’re living in a time where our reliance on technology is ever 
increasing. Our business and personal lives are starting to merge. 
Consumers are more dependent upon mobile devices, and they have 
growing expectations that companies are going to be accountable 
stewards that respect and protect the information that we collect, 
that we use, and that we maintain. 

HP firmly believes that our ability to succeed in the marketplace 
depends on earning and keeping our customers’ trust. HP takes ac- 
tive steps to implement organizational accountability for privacy 
throughout our company. We believe that companies need to do 
more and, when asked or requested, to be able to demonstrate their 
capacity to uphold the obligations and the commitments that they 
make. 

To that end, we’ve built an internal program that includes our 
privacy advisor tool, which integrates all of our commitments into 
a tool that helps to guide our employees. The tool looks at privacy 
requirements, risks, and other considerations. It helps ensure that 
we’re able to hold every employee accountable. The concept is 
known as privacy by design, and it’s one of the fundamental ele- 
ments in the legislation that Senators Kerry and McCain have put 
forward that HP supports. 

HP is a strong proponent of omnibus U.S. federal privacy legisla- 
tion. We firmly believe that it’s time for the U.S. to establish a 
comprehensive, flexible, legal framework that works to protect con- 
sumer privacy. We believe consumers are expecting it, businesses 
need it, and the economy will be better for it. 

While HP also believes in effective corporate self-regulation or 
the possibility of innovative co-regulatory programs as outlined in 
the Kerry-McCain bill, the patchwork of state laws and statutes in 
existence today confuses customers about their protection in any 
given context, and it also forces companies to contend with dif- 
fering and often conflicting regulations. This is why we strongly 
support the initiatives like Senator Pryor’s data security legisla- 
tion, which would set a national preemptive standard. 

We believe that the adoption of new innovation depends on com- 
panies acting in an accountable and responsible manner that an- 
ticipates consumer expectations. No one is served, not corporations, 
not governments, and certainly not consumers, by a lack of con- 
fidence in the security and privacy of personal information. At HP, 
we believe that consumer trust comes from good transparency and 
providing meaningful choice. This is why we support the concepts 
in Senator Rockefeller’s do-not-track legislation. 

We continue to urge policymakers to examine ways to establish 
baseline federal legislation that will clearly articulate expectations 
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for all organizations. As more and more services are delivered 
through mobile devices, such as applications, it’s going to become 
even more important that we have a consistent baseline standard 
that will strengthen that chain of accountability and unify the di- 
vergent regulations that are currently in existence. 

Simply stated, HP recognizes that consumer trust is a precious 
commodity that must be protected through good stewardship and 
robust privacy programs. Federal legislation can establish a uni- 
fying federal baseline standard for organizational accountability as 
well as improved consumer protection. We believe that it’s both a 
win for consumers as well as industry as a whole. 

Thank you for your time, and I’m happy to answer 

The Chairman. No, thank you very much, and that was very 
clear and well presented. 

[The prepared statement of Mr. Taylor follows:] 

Prepared Statement of Scott Taylor, Chief Privacy Officer, 
Hewlett-Packard Company 

Chairman Rockefeller, Ranking Member Hutchison and members of the Com- 
mittee, my name is Scott Taylor and I am the Chief Privacy Officer at Hewlett- 
Packard Company. Thank you for inviting me to testify today on privacy. HP com- 
mends the Committee for its forward-looking approaches to balancing consumer pri- 
vacy interests with the business realties of a global, Internet-based economy. 

We are living in a time when our reliance on technology is increasing every day. 
There is a continued blurring between our business and personal lives. Consumers 
are more dependent on mobile devices, and they have a growing expectation that 
companies will be accountable stewards that respect and protect the information we 
collect, use and maintain. 

Today’s technologies provide tremendous benefits to consumers and businesses 
and are critical to economic growth and prosperity. Yet these same innovations cre- 
ate new challenges related to privacy. 

Privacy is a Core HP Value 

HP’s core values of trust, respect and integrity provide the foundation for our 
commitment to privacy. HP firmly believes that our ability to succeed in the market- 
place depends upon earning and keeping our customers’ trust. HP has a rigorous 
global privacy program and is at the forefront of industry efforts to create new 
frameworks and strengthen privacy protections. HP takes active steps to implement 
organizational accountability for privacy throughout our company. We believe com- 
panies need to do more and be willing to demonstrate their capacity to uphold the 
obligations and commitments they make. 

Accountability Framework 

HP’s approach to privacy is built on a model of accountability. We seek to create 
a chain of accountability for the information we handle, ensuring data privacy and 
security are advanced at every stage of the process. HP teams work together to 
oversee and manage our privacy efforts and collaborate with external partners to 
advance privacy protection worldwide. 

HP’s privacy accountability model is a decision-making framework that helps 
business units make informed choices about the risks associated with collecting and 
handling data. Our accountability approach demonstrates HP’s commitment to pri- 
vacy and goes well beyond legal compliance. Various factors are taken into consider- 
ation including first and foremost ethics as well as contractual agreements, regula- 
tions, international provisions and corporate culture. Our model builds on that foun- 
dation by considering decisions in light of our company values, customer expecta- 
tions and potential risks to ensure we are fully accountable for our actions. 

To that end, we have built a robust internal privacy program that focuses on inte- 
grated governance, risk and opportunity identification. Combined with strong policy 
commitments and senior management support, our program encourages trans- 
parency, ensures policies are instituted and validates program effectiveness. The 
diagram below demonstrates HP’s privacy governance model: 
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HP monitors compliance with its privacy policies using internal assessments, cus- 
tomer and employee feedback, and internal audits. Our privacy team works closely 
with the HP Ethics and Compliance Office and internal audit function to align with 
their approaches to compliance. All suppliers and third-party vendors that handle 
HP customer and employee personal data are contractually bound to comply with 
applicable portions of our privacy policies and detailed supplier security standards. 


Privacy and Data Protection Board 

HP’s Privacy and Data Protection Board (PDPB) provides company-wide oversight 
for privacy and personal data protection. The PDPB comprises executives from Pri- 
vacy, Legal, Information Technology, Security, Internal Audit, Procurement, Inter- 
net, HP Labs, Human Resources and the Global Government Affairs functions, as 
well as from each business unit and region. 

At quarterly meetings, the PDPB members discuss strategy and high-level prior- 
ities, assess programs, launch projects and resolve any issues identified through our 
ongoing monitoring programs that have been escalated to the PDPB. The PDPB reg- 
ularly invites external experts to discuss privacy trends and developments. The 
PDPI5 conducts an annual risk assessment and the members work throughout the 
year on teams that handle specific privacy issues and mitigation projects. For exam- 
ple, as a result of the PDPB’s work, all company laptops are required to have full- 
disk encryption to mitigate the risk of data theft or loss. 

The PDPB enables HP to manage data protection risks comprehensively in a 
seamless and integrated way. Its shared risk assessment and decision-making model 
sets a standard for governing information management more broadly. 


Privacy by Design 

HP designs privacy and data protection into new products and services, guided 
by comprehensive, company-wide privacy standards for product and service develop- 
ment. This builds consumer trust and provides a competitive advantage for HP. The 
concept of considering privacy from inception is referred to as “Privacy by Design” 
and is one of the fundamental elements in the legislation of Senators Kerry and 
McCain that HP supports. 

For corporate customers, HP’s Secure Advantage portfolio offers hardware, soft- 
ware and services that help protect data throughout its lifecycle, whether it is 
stored on a desktop, laptop computer, a printer or in a data center. Privacy features 
incorporated into the portfolio include: 


• Software that asks the user whether they want to be notified when updates are 
available, rather than sending notices and installing updates automatically. 

• Full-disk encryption that helps protect the data on each drive, even if the disks 
are lost or stolen, with minimal impact on performance. 

• Automated encryption devices to increase protection. 


HP scientists who support our privacy team continue to work on several collabo- 
rative research projects on privacy. For example, they lead Ensuring Consent and 
Revocation (EnCoRe), a partnership of six organizations with the goal of making it 
safe and easy for people to give and withdraw consent for their data to be used. 
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HP scientists and engineers are working with eleven other companies on another 
project called Privacy and Identity Management for Community Services (PICOS) 
to create confidence in the safety of sharing data in online communities. Project 
members are identifying privacy, trust and identity management issues and plan to 
design and build mobile communication tools to address these issues. 

Privacy Advisor Tool 

Beyond our privacy team, at the core of our implementation strategy is the HP 
Privacy Advisor tool that integrates our privacy philosophy and commitments into 
an end-to-end program to better educate and guide our employees about privacy re- 
quirements, risks and considerations. This interactive tool helps to ensure that as 
we develop new products and services, privacy considerations are integrated from 
the first stages of development. Coupled with employee education and mandatory 
training, this tool helps to hold every employee accountable for privacy and data 
protection. 

HP’s privacy team partnered with our R&D labs to develop and deploy a Privacy 
by Design program to ensure that our more than 300,000 employees understand pri- 
vacy implications as they conceive and develop products and programs that will col- 
lect or use personal data. Below is a screen shot that shows HP’s Privacy Advisor 
tool: 
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Importantly, the tool is not just about compliance. It integrates ethics and values- 
based considerations to ensure we align to company codes of conduct and consumer 
expectations. If we think about most product designers or marketing managers, they 
are thinking about the next innovation and their first priority isn’t necessarily pri- 
vacy. Whether employees are designing a new product or launching an e-mail mar- 
keting campaign, they need to understand how to put policies, obligations and val- 
ues into effect. And they need to do so as they design new products and prior to 
deployment. 

Not all innovative ideas become reality, so we need to break down product or pro- 
gram development into simple stages. In the design and development stages, HP’s 
privacy team provides proactive guidance so privacy considerations can inform early 
planning. This has traditionally been difficult for companies and can result in a pro- 
gram being delayed or canceled later based on privacy concerns. 

Early guidance related to privacy becomes tremendously valuable to the organiza- 
tion because it ensures privacy pitfalls can be avoided. In the deployment, mainte- 
nance and end-of-life stages, our privacy team does more than just guide. They pro- 
vide assessment mechanisms to ensure compliance with laws, company obligations, 
policies and values. We have learned that this assessment needs to be as contextual 
as possible. For example, the way we need to assess privacy compliance in a global 
e-mail campaign is very different than in a new PC or web-enabled printer that 
seeks to deliver a customized user experience. 

The HP Privacy Advisor tool is available to every employee from our internal 
Internet portal. Employees log in using a digital badge that authenticates their cre- 
dentials and identifies them and their organization. That information is also used 
to assign the appropriate privacy team member for follow-up. 

Here is a screen shot of the employee login page: 
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The tool starts by asking simple, basic questions about the proposed project. As 
each question is answered, additional dynamically-generated questions are posed 
based on the collective intelligence and risk factors derived from how prior questions 
were answered. Below is a look at sample project profile questions: 





The HP Privacy Advisor tool is an intelligent privacy impact assessment mecha- 
nism that is geared to the employee user and scales from simple to complex pro- 
grams. One of the greatest benefits is educating employees in the context of their 
program or work tasks. Through the process employees learn about privacy issues 
and can modify their approach to ensure compliance. 

The following two graphics show additional questions based on the sample project: 
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The assessment results are documented and reviewed by the privacy team. Con- 
sultation is provided as necessary. If any issues exist, approval from the privacy 
team is required prior to deployment. After a product or program launches, triggers 
exist to ensure deployment was consistent with expectations and that end-of-life ac- 
tions are taken when appropriate. The image below shows a report of the sample 
assessment results: 
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By using technology, we are better positioned to scale our privacy team’s knowl- 
edge and guide our 300,000 employees to think about privacy in the right context 
and at the right time. Nothing is perfect, but we think it goes a long way to mini- 
mizing unanticipated effects, and balances our ability to innovate and ensure re- 
sponsible practices when using data. 

An Integrated Framework For Privacy Will Benefit Consumers 

Since 2006, HP has worked closely with the U.S. Congress, the Federal Trade 
Commission and the U.S. Department of Commerce to establish a new strategy for 
federal legislation. We have long advocated for comprehensive federal privacy legis- 
lation which we believe will support business growth, promote innovation and en- 
sure consumer trust in the use of technology. The complexity of existing state laws 
and statutes can make it difficult for businesses to comply with the law. We firmly 
believe it is time for the U.S. to establish a comprehensive, flexible and legal frame- 
work for protecting consumer privacy. Recent research from University of California, 
Berkeley and the Pew Research Center tells us that consumers are becoming more 
concerned, and increasingly want to know that their privacy is protected. We believe 
consumers are expecting federal legislation, companies need it and the economy will 
be better for it. Federal legislation would also help us compete in the global market- 
place since a baseline privacy law in the U.S. allows the opportunity for inter- 
national interoperability. 

In addition to our work in the U.S., HP is actively engaged with Data Protection 
Commissioners in Europe and the Binding Corporate Rules (BCR) of our privacy 
program have been approved by the European Union. BCR approval is considered 
the highest level of certification for organizational privacy accountability. In Asia, 
HP helped create and shape the Asia-Pacific Economic Cooperation Cross-Border 
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Privacy Rules system. We are actively engaged in forward-looking frameworks in 
Latin America as well. 

In preparation for this hearing, the Committee asked that we examine three pri- 
vacy hills: (1) S. 799 — The Commercial Privacy Bill of Rights Act of 2011; (2) S. 
913 — Do-Not-Track Online Act of 2011; and (3) S. 1207 — Data Security Breach Leg- 
islation. We support the concepts espoused in all three of the hills and look forward 
to further collaboration with the Senate Commerce, Science and Transportation 
Committee, government regulators and industry to craft privacy and security laws 
that enable robust and rapid innovation, appropriate consumer protection, greater 
consistency and predictability. We look forward to continuing our engagement and 
furthering the efforts to increase effectiveness of the U.S. legal framework for the 
protection of privacy and data security. Below are our brief thoughts on each of the 
bills. 

S. 799 — The Commercial Privacy Bill of Rights Act of 2011 

HP supports this innovative legislative effort by Senators Kerry and McCain. As 
stated earlier in the testimony, “Privacy by Design” is one of the fundamental ele- 
ments in the bill and is a practice HP fully embraces. We look forward to working 
with Congress to advance this legislation. 

Earlier this year, HP joined Microsoft, eBay and Intel in supporting the Commer- 
cial Privacy Bill of Rights Act of 2011 introduced by Senator John Kerry (D-MA) 
and Senator John McCain (R-AZ). Our four companies released a joint statement 
in support of the bill: 

We are pleased that Senator Kerry and Senator McCain, both long-time advo- 
cates for strong consumer privacy protections, have introduced the Commercial 
Privacy Bill of Rights Act of 2011. We support the bill and look forward to work- 
ing with Congress as it moves forward. 

We have long advocated for comprehensive federal privacy legislation, which we 
believe will support business growth, promote innovation and ensure consumer 
trust in the use of technology. The complexity of existing privacy regulations 
makes it difficult for many businesses to comply with the law. 

We support the bill’s overall framework, which is built upon the Fair Informa- 
tion Practices principles. We appreciate that this legislation is technology neu- 
tral and allows for flexibility to adapt to changes in technology. The bill also 
strikes the appropriate balance by providing businesses with the opportunity to 
enter into a robust self-regulatory program. 

We look forward to continuing our engagement to improve the effectiveness of 
the U.S. legal framework for the protection of privacy. 

S. 913 — Do-Not-Track Online Act of 2011 

HP interacts with consumers and businesses in many ways online, including the 
sales and support of our products and services. We believe that the adoption of new 
innovation depends on companies acting in an accountable and responsible manner 
to anticipate and advance consumer needs. No one is served — not corporations, not 
governments and certainly not consumers — by a lack of customer confidence in the 
security and privacy of personal information. At HP, we believe consumer trust 
comes from transparency and providing meaningful choice to consumers. Accord- 
ingly, we support the concepts in Senator Rockefeller’s do-not-track legislation. 

With the acquisition of Palm, HP owns and operates WebOS (an operating system 
used in HP products). HP sells our WebOS devices configured to ensure we do not 
track location-based data without active user consent. When a user opts to enable 
location services, the data is used only for diagnostic purposes and is not shared or 
sold externally. Other products and services, such as our PCs, Internet-enabled 
printers and other mobile devices, provide similar levels of consumer transparency, 
choice and strong privacy protections. 

We would welcome the opportunity to collaborate with Senator Rockefeller to en- 
sure consumers are given appropriate choices for tracking in a manner that recog- 
nizes existing industry standards and technology limitations. We encourage industry 
to develop new standards to facilitate more meaningful choices across a consumer’s 
online experiences. 

S. 1207 — Data Security Breach Legislation 

Both as a consumer products company and as a service provider to other compa- 
nies, HP collects and maintains personally identifiable information. Over the last 10 
years, almost every state in the U.S. has adopted a data security breach law. The 
patchwork of state laws and statutes in existence today confuses consumers about 
fheir protections in any given context, and forces companies to contend with dif- 
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fering and often conflicting regulations. In some cases the laws require over-notifica- 
tion which does nothing to increase privacy protection. This is why we strongly sup- 
port initiatives like Senator Pryor’s data security legislation, which would set a sin- 
gle, national, preemptive standard. Such a law would create consistency and predict- 
ability for businesses and better protection for consumers. 

We support the concepts and principles of the draft bill and look forward to pro- 
viding input on the guidance documents. We hope to ensure that any notice required 
would be meaningful and useful in preventing identity theft or other related harms 
that may result from a data breach. In particular, notification must be prompt to 
enable the impacted individuals and companies to take appropriate action to protect 
themselves. That said, the notification time-frame must take into account the com- 
plexity and nature of the data and the breach. Moreover, the communications vehi- 
cles must be effective in reaching the intended audience and should include new 
media platforms when appropriate (e.g., chat rooms, social media, e-mail, etc.). 

Closing Statement 

We continue to urge policymakers to examine ways to establish baseline federal 
legislation that will clearly articulate expectations for all organizations. As more 
and more services are delivered through multiple parties, such as applications on 
mobile devices, a consistent baseline standard will strengthen the chain of account- 
ability and unify the divergent regulations currently in existence. We believe this 
responds to the very real needs of anxious consumers, and gives industry the flexi- 
bility to innovate in a responsible manner. 

Stated simply, HP recognizes that consumer trust is a precious commodity that 
must be protected through good stewardship and robust privacy programs. Federal 
legislation can establish the baseline for organizational accountability and improved 
consumer protection. It’s a win for both consumers and the industry as a whole. 

The Chairman. I want to apologize once again. This has not been 
the order of what has happened. You have a committee hearing on 
a subject as important as this. You come from far distances, many 
of you, and you give your testimony. 

But let me give you some solace. Actually, getting written ques- 
tions from members and then you having the chance to answer 
them at length, or not at length, whatever your choice, sometimes 
works better than us asking questions. 

And then, you know, the 5-minute rule messing everything up. 
So take some hope in that and otherwise just accept my apologies, 
please. 

This hearing is adjourned. 

[Whereupon, at 11:21 a.m., the hearing was adjourned.] 
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Hon. John D. Rockefeller IV, 
Chairman, 

Committee on Commerce, Science, and 
Transportation, 

U.S. Senate, 

Washington, DC. 


June 29, 2011 

Hon. Kay Bailey Hutchison, 

Ranking Member, 

Committee on Commerce, Science, and 
Transportation, 

U.S. Senate, 

Washington, DC. 


Dear Chairman Rockefeller and Ranking Member Hutchison: 

The undersigned trade associations and business groups representing hundreds of 
thousands of U.S. companies from a wide variety of industry segments strongly 
urges caution as you examine whether changes are necessary to existing U.S. pri- 
vacy law. We continue to believe that self-regulation and best business practices 
that are technology-neutral serve as the preferred framework for enhancing innova- 
tion, investment, and competition, while — at the same time — protecting consumers’ 
privacy. 


I. The Benefits of Data Collection and Use to the U.S. Economy 

All sectors of the U.S. economy — including financial services, manufacturing, and 
many more — collect and use data to spur sales and job growth, enhance produc- 
tivity, enable cost-savings, improve efficiency, and protect consumers. Information 
is used in many beneficial ways in our economy and by our society, including: fair 
and efficient consumer credit allocation; local and national background employment 
screenings and national security clearances; fraud prevention in the private-sector 
and in government; the collection of child support pa 3 Tnents; and assistance to law 
enforcement on matters ranging from locating missing and exploited children to pre- 
venting money laundering and terrorist financing. 

Businesses depend more than ever on having beneficial and trusted relationships 
with their customers. Better data allows businesses to deliver more relevant and 
targeted products and services to their existing and prospective customers. The effi- 
cient use of data allows manufacturers to reduce the cost of product development 
and assembly costs by up to 50 percent, and decrease the amount of required work- 
ing capital by up to 7 percent. ^ Retailers utilize information for inventory control 
and planning, fraud prevention, marketing, and deciding where new stores should 
be located. The power of data helps retailers boost their profit margins by as much 
as 60 percent.^ 

Today, the Internet makes it possible for companies of all shapes and sizes to 
communicate with employees, existing customers, potential customers, and business 
partners around the world. The Internet, accounting for $300 billion in economic ac- 
tivity and over three million U.S. jobs, is clearly a key economic engine in our econ- 
omy.^ U.S. retail e-commerce sales totaled $166.4 billion in 2010, a 14.8 percent in- 
crease over 2009.'^ Frequently, online content is provided at little or no cost to con- 
sumers, and revenues are instead generated through advertising. Internet adver- 
tising revenues in the United States totaled $7.3 billion in the first quarter of 2011, 
representing the highest first-quarter revenue ever for the online advertising indus- 


^McRinsey Global Institute, Big Data — The Next Frontier for Innovation, Competition, and 
Productivity, at 8, May 2011, available at: http: I jwww.mckinsev.com I mgi I publications I 

big data / pdfs I MGI big data full report.pdf. (McKinsey Report). 

2/d. at 2. 

2 John Deighton et al.. Economic Value of the Advertising-Supported Internet Ecosystem, June 
10, 2009, at 3^, available at http:! jwww.iab.net i media i file ! Eeonomic-Value-Report.pdf . 

"^Healthy Growth for Ecommerce as Retail Continues Shift to Web, eMarketer Inc., Mar. 17, 
2011, available at http:! i www.emarketer.com I Article.aspx?R=1008284. 
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try and a 23 percent increase over the same period in 2010.® By 2015 companies 
are expected to spend up to $17 billion to create and manage mobile applications 
related to specific products, and $38 billion in revenue are expected to be generated 
from consumers purchasing mobile applications for download to their smartphones 
and tablets.® 

II. Self-Regulation and Best Practices Serve as Preferred Method for 
Safeguarding Consumer Privacy 

Recognizing the importance of maintaining consumer trust in order to grow their 
businesses, American companies have long engaged in self-regulation to ensure that 
consumer privacy is protected while still allowing innovation to grow and expand 
our economy. Effective self-regulatory programs governing marketing and adver- 
tising have been created and implemented by many respected associations and orga- 
nizations. For example, the American Advertising Federation (AAF), the American 
Association of Advertising Agencies (4A’s), the Association of National Advertisers 
(ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau 
(lAB), the Network Advertising Initiative (NAI), TRUSTe, the Council of Better 
Business Bureaus, Inc., the National Advertising Review Council (NARC), the Asso- 
ciation for Competitive Technology, CTIA — The Wireless Association, and the Mobile 
Marketing Association (MMA) have been involved in the promotion of self-regulatory 
programs. Additionally, organizations are bound by their own privacy policies. 

In the absence of any identified problem, self-regulation and best business prac- 
tices continue to be the most appropriate framework for protecting consumers’ pri- 
vacy online while enabling innovation, investment, and competition. Self-regulatory 
models are a particularly effective method of protecting consumer privacy on the 
Internet because the regulatory process is often incapable of responding rapidly to 
technological changes. 

III. Technology and Self-Regulation Already Offer Consumers the Type of 
Choice Envisioned in Recent Legislative Proposals 

Recent discussion about creating a government-mandated “Do-Not-Track” list to 
prevent the delivery of targeted ads based on the websites that the consumer has 
visited provides an excellent example of the power and effectiveness of self-regula- 
tion. Companies must have the flexibility to respond to market developments and 
to meet changing customer needs, which a one-size-fits-all, government-mandated 
approach would be unable to provide. 

Industry has already begun to provide consumers with the type of choice sought 
by proponents of a “Do-Not-Track” list. For example, the Digital Advertising Alli- 
ance — a consortium of trade associations representing more than 5,000 companies 
engaged in online advertising — launched a Self-Regulatory Program for Online Be- 
havioral Advertising in October 2010, that allows consumers to opt-out from receiv- 
ing interest-based ads across the Internet. Additionally, consumers using Internet 
Explorer, Safari, Firefox, or Google Chrome can choose preference settings that help 
control how their browser stores Internet usage information or the types of “cookies” 
that companies may set. 

Any government restriction on the ability of companies to gain revenue from ad- 
vertising would result in less free or subsidized content being made available to 
users and would inhibit innovative start-ups. 

Debate over the use of location-based service (LBS) data provides another example 
of how consumer privacy can most quickly and effectively be protected through self- 
regulatory means. Smartphone and tablet users are increasingly downloading appli- 
cations that offer LBS, such as navigation and mapping, the ability to locate nearby 
retailers, restaurants, and services, and the capability of always being connected to 
family and friends. Spending on LBS is expected to grow from $2.2 billion in 2009 
to $12.7 billion in 2(313.'^ A recent study estimates that, over the next 10 years, 
these services could bring $100 million in revenue to service providers and $700 bil- 
lion in value to consumer and business end users.® Moreover, LBS-data allows wire- 


® Press Release, Internet Advertising Revenues Hit $7.3 Billion in Ql, May 26, 2011, available 

at http:! ! www.iah.net ! about the iab I recent press releases ! press release archive ! press 

release ! pr-05261 1 . 

®Nick Bilton, Mobile App Revenue to Reach $38 Billion by 2015, Report Predicts, 
NYTimes.com, Feb. 28, 2011, available at http: j I bits.blogs.nytimes.com 12011 102 128 Imobile- 
app-revenue-to-reach-38-billion-by-2015-report-predicts ! . 

San Jose Firm’s Technology Helps to Find Lost Cars, Pets and More, Silicon Valley/San Jose 
Business Journal, http:llwww.bizjournals.eom/sanjose/stories/2010/01/18lsmallb3.html (cit- 
ing Gartner, Dataquest Insight: Consumer Location-Based Services, Subscribers and Revenue 
Forecast, 2007-2013). 

^ McKinsey Report at 85. 
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less carriers to manage their networks and enhance their coverage areas. This data 
also provides significant public safety benefits when, for example, a mobile user 
needs emergency assistance or roadside vehicle repair. 

Policymakers have recently expressed concerns about the collection and usage of 
LBS data by smartphones and mobile applications. However, this is a vibrant, com- 
petitive, consumer-driven market with many groups focused on enhancing or cre- 
ating new self-regulatory regimes as well as user-friendly technological solutions. 
For example, CTIA — The Wireless Association has developed “Best Practices and 
Guidelines for Location-Based Services” and a “Consumer Code for Wireless Serv- 
ice.” The MMA has established its “Mobile Privacy Guidelines.” The Association for 
Competitive Technology has convened a working ^oup to develop privacy guidelines 
for application developers. Thus, legislation in this area is not necessary and would 
harm innovation, including development of the privacy-enhancing technologies that 
policymakers seek to foster. 

TV. Data Security Legislation Would Strengthen Self-Regulation in the 
Privacy Area 

In today’s tough economy, businesses depend more than ever on having beneficial 
and trusted relationships with their customers. Therefore, there is no question that 
protecting sensitive consumer information should be a priority for ah businesses 
that collect and store this data, and that consumers deserve to be promptly notified 
if a security breach has put them at signihcant risk of identity theft, fraud, or other 
harm. Thus, while self-regulation is best suited to safeguard consumer privacy, we 
support the enactment of meaningful federal data security legislation that does not 
hinder innovation or the benehcial uses of data. To be workable and effective, any 
such legislation must contain carefully drafted provisions, including — but not lim- 
ited to — liability, federal preemption, and impact on existing federal laws. 


V. Conclusion 


Companies and organizations utilize a variety of effective methods — industry best 
practices, self-regulation, technology, and internal privacy policies — to protect con- 
sumer privacy. As you consider the need for changes to U.S. privacy law, we look 
forward to discussing any concerns that you or your staff may have on this issue. 
Sincerely, 

American Advertising Federation 
American Association of Advertising Agencies 
Association for Competitive Technology 
Consumer Data Industry Association 
CTIA — The Wireless Association 
Direct Marketing Association 
Electronic Retailing Association 
Interactive Advertising Bureau 
National Association of Professional Background Screeners 
National Business Coalition on E-Commerce and Privacy 

NetChoice 

Network Advertising Initiative 
Performance Marketing Association 
U.S. Chamber of Commerce 


Cc: Members of the Senate Committee on Commerce, Science, and Transportation 
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Lisa Liberi 
Santa Fe, NM 

Lisa Ostella 
Denville, NJ 

June 27, 2011 

Natasha Mbabazi 

Consumer Protection, Product Safety, and Insurance Staff 

Senator Thomas Udall, 

Senate Commerce Committee, 

Senator Frank Lautenberg, 

Senate Commerce Committee, 

Senator Barbara Boxer, 

Senate Commerce Committee. 

Re: The Data Privacy and Security Bill Hearing, June 29, 2011 — Protecting Con- 
sumers in the Modern World 

Dear Natasha, 

Thank you for taking the time with Lisa Liberi and Lisa Ostella. As explained 
over the telephone today, Lisa Ostella and Lisa Liberi have been through a complete 
nightmare concerning data privacy with no assistance from State and/or Federal 
Agencies. 

Lisa Liberi was interning as a Paralegal for an Attorney in Pennsylvania. Lisa 
Ostella was working for a short period of time as a Webmaster for Attorney Orly 
Taitz. Orly Taitz resides and owns businesses in Orange County, California. Lisa 
Liberi spoke to Orly Taitz on one occasion in Nov. 2008; and had not met her. Lisa 
Liberi declined assisting Orly Taitz in her litigation against President Obama. In 
addition, Lisa Liberi disagreed with Orly Taitz regarding the Natural Born Citizen- 
ship laws. Lisa Ostella stopped working for Orly Taitz as a result of Orly Taitz’s 
false law enforcement reports claiming “hacking” into her websites/PayPal Accounts 
and falsely accusing “Obama and his thugs.” Lisa Ostella also refused to lie for Orly 
Taitz and refused to substantiate the false claims of “hacking.” As a result, Orly 
Taitz targeted and came after Lisa Liberi and Lisa Ostella. 

Orly Taitz stated she was going to “take down” the attorney who Lisa Liberi was 
interning with and to do so she was going to destroy Lisa Liberi, Orly had published 
all over the Internet that Lisa Liberi was the brains behind Philip J. Berg, Esquire. 
Destroy Lisa Liberi and Lisa Ostella she did. 

Orly Taitz, as an Officer of the Court, illegally obtained background checks on 
Lisa Liberi and Lisa Ostella; Orly Taitz illegally obtained the credit reports and 
background checks of Lisa Liberi and Lisa Ostella; Orly Taitz illegally obtained 
medical records and sealed court records, including adoption records, of Lisa Liberi 
and Lisa Ostella. Lisa Liberi’s credit was discussed on a radio show by Neil Sankey, 
the private investigator who obtained some of the private data for Orly Taitz. 

Orly Taitz illegally obtained the full social security numbers; dates of birth; place 
of birth; mother’s maiden name; children’s names; father’s names; addresses; phone 
numbers; relatives’ names and addresses and other private data belonging to Lisa 
Liberi and Lisa Ostella and all the private primary data of Lisa Liberi and Lisa 
Ostella’s spouses. 

Lisa Liberi and Lisa Ostella’s private data was obtained by Orly Taitz through 
third parties without any type of legal basis, permission of Mrs. Liberi and Mrs. 
Ostella and without any type of verification from the Reed Elsevier, Inc. companies, 
including but not limited to LexisNexis; ChoicePoint, Inc.; Seisint, Inc., d/b/a 
Accurint; and Intelius, Inc. by Orly Taitz and her private investigator’s own admis- 
sions. The Reed Elsevier, Inc. companies, LexisNexis; ChoicePoint, Inc.; and Seisint, 
Inc. d/b/a Accurint canceled Neil Sankey, Todd Sankey and the Sankey Firm, Inc.’s 
Lexis accounts approximately 8 months after Orly 'Taitz illegally obtained Politi- 
cians private data including but not limited to President Obama and at no time in- 
vestigated and/or disclosed the breach. 

In turn, Orly Taitz posted all this primary identification information pertaining 
to Lisa Liberi all over her website located at www.orlytaitzesq.com; and posted the 
private data all over the worldwide web repeatedly; to third-party websites asking 
them to post it; sent out by mass e-mailing; mass mailing to Congressional individ- 
uals; to the U.S. DOJ; FBI; State and Federal entities; and sent it Internationally 
with Lisa Liberi’s and Lisa Ostella’s full Social Security number; date of birth; place 
of birth; mother’s maiden name; father’s name; address Information; and other pri- 
vate data, primary identification data, repeatedly for a year and a half. In fact, Lisa 
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Liberi’s social security number is still on the Internet as of today’s date at http:! I 
www.oilforimmigration.org I facts np=1478 and http:! / www.orlytaitzesq.com ! 
wpcontent / uploads 12010 1011 Dc279. doc. 

With this private data, Orly Taitz also began and continues cyber-stalking; 
Cyberbullying; cyber-harassing Lisa Liheri and Lisa Ostella, their families and chil- 
dren; inciting violence against Lisa Liberi and Lisa Ostella; against Lisa Liberi and 
Lisa Ostella. Orly Taitz called in help and harassed people in Lisa Liheri and Lisa 
Ostella’s families and neighbors, including stalking Liberi’s son; contacting people 
in Liberi’s life for the past 25 years; sending people to Liberi’s home; having people 
call Liberi and Ostella’s home threatening their lives; filing numerous false law en- 
forcement reports attempting to have Liheri and Ostella falsely arrested; Orly Taitz 
threatened to have Lisa Ostella’s children professionally kidnapped; Orly Taitz was 
and has continued forging documents in Liberi and Ostella’s name; Orly Taitz drove 
around New Jersey where Lisa Ostella’s resided and her children attended school; 
Orly Taitz illegally stalked Ostella’s daughter, took her picture and published the 
picture online; all of Lisa Ostella and Lisa Liberi’s private data was sent to armed 
militia groups; white supremacy groups, hate groups; Lisa Liberi was called a 
“BLOOD red herring”; Orly Taitz illegally obtained a family photo of Lisa Liberi, 
her son and husband off of Liberi’s computer; Taitz illegally obtained a single photo 
of Liheri; Liberi’s pictures and home address were sent out all over the Internet, 
to armed militias, white supremacy groups and other hate groups, etc. These actions 
are still occurring as of today’s date. 

Unfortunately, due to the lack of privacy laws, Lisa Liheri and Lisa Ostella have 
been unable to get any assistance from their law enforcement agencies. An FTC 
Complaint was submitted to the Federal Trade Commission in or about July 2010, 
however, to date, Lisa Liberi and/or Lisa Liberi have been contacted. 

The damages have been endless and even though Lisa Liberi and Lisa Ostella are 
taking civil action against Orly Taitz, she is still calling in her “cohorts” to assist 
her in harming Liberi and Ostella. See Liberi, et al., v. Taitz, et al., Case No. 8:11- 
cv-00485 AG, U.S. District Court, Central District of CA, Southern Division. 

Lisa Liberi and her spouses identities have been stolen; their credit destroyed; 
Lisa Ostella’s pet rabbits were slaughtered and left on her back deck; a man with 
a dangerous background in Albq., NM, attempted to get paid $25,000 from Orly 
Taitz in increments under the $10,000 reporting limits on two (2) separate occa- 
sions, which is believed to be an attempt to hire a dangerous person to harm Lisa 
Liberi, Lisa Ostella, their families and children, Santa Fe Police Department did not 
even bother to have this investigated — nor did the FBI or any other law enforce- 
ment agency. Lisa Liberi is a sitting duck for Orly Taitz and her “cohorts” to harm 
her, she can’t move, no one would rent to her with the destruction of her credit by 
her and her husband’s Social Security numbers and other private data being stolen 
and used by others due to the illegal disclosure to Orly Taitz. 

This data and security bill must pass, we need laws and need all the laws to be 
enforced so no others go through what Lisa Liberi and Lisa Ostella have lived for 
the past 2-1/2 years and continue to live. We need laws so law enforcement can 
prosecute these crimes without jurisdictional issues and assist Mrs. Ostella and 
Mrs. Liberi. 

There is a bunch more information regarding the breach of private data, please 
feel free to contact us. We will be happy to provide all the additional information 
and the evidence supporting the allegations herein. 

Thank you. 


Lisa Liberi 
Lisa Ostella 


Cc: Senator Dianne Feinstein 


Response to Written Questions Submitted by Hon. John D. Rockefeller IV 

TO Hon. Julie Brill 

Question 1. Commissioner Brill, last month I asked David Vladeck why a year 
after the comment period had closed, the FTC had still not completed its review of 
the Children’s Online Privacy Protection Act or COPPA Rule. Subsequent to the 
hearing, I was concerned to hear Chairman Leibowitz say that the FTC’s COPPA 
proposal will not be out until the fall. I cannot understand what is taking so long. 
We are talking about protecting the most vulnerable Americans — kids under 13. 
Can you tell me why the review has not been completed? 

Answer. Since we commenced our review last year. Commission staff has been 
diligently analyzing the public comments in connection with the review. This work 
involves a wide range of complex issues, and requires thorough consideration of 
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technical topics and privacy concerns. At the same time, we have continued to en- 
force the existing Rule, most recently announcing a $3 million settlement with 
Playdom, Inc., and we will announce several additional COPPA settlements shortly. 
The internal work on the COPPA Rule is nearly complete, and I expect that the 
Commission will publicly release the findings soon. 

Question 2. Will you commit to me that you will work with the other Commis- 
sioners to update the rule as quickly as possible? 

Answer. Yes, of course. I am committed to our work in this area, and the privacy 
issues affecting our children have my full attention. I will continue to work with 
the other Commissioners and Commission staff to release the findings and update 
the Rule as quickly as possible. 


Response to Written Question Submitted by Hon. Claire McCaskill to 

Hon. Julie Brill 

Question. The United States may need a national framework to ensure that per- 
sonal data remains secure in an increasingly electronic world and to mitigate harm 
in the event of a breach. As we consider legislation, it is important that we do not 
end up with a patchwork of federal data security laws, with multiple regulations 
from multiple federal agencies. That doesn’t help consumers and could create com- 
petitive disparities that could distort the marketplace and create confusion. Do you 
agree that it is not productive to have multiple agencies with authority over the 
same parties, creating possible duplication of efforts and confusion and disparities 
for consumers and businesses? 

Answer. I certainly agree that strong federal data security and breach notification 
legislative requirements are critical. The Commission has testified before Congress 
in support of such legislation. Overlapping regulations from multiple federal agen- 
cies could create confusion and we would be pleased to work with Committee staff 
to reduce or eliminate any such overlap. 

As Congress continues to consider legislation, we will continue — as we have done 
in the past — to work cooperatively with our sister agencies to avoid duplicative or 
redundant oversight. For example, the FTC and FCC cooperated successfully several 
years ago in “pretexting” cases. These cases involved individuals who pretended to 
be the owners of telephone accounts. Under these false pretenses, they obtained the 
calling records for these accounts from telephone companies and sold the records to 
others. The FTC took action against entities involved in such pretexting, and the 
FCC focused on ensuring that telephone carriers had ample security in place for 
calling records. Our collective goal in these collaborative efforts is to ensure that 
there are no gaps that would leave consumers unprotected. 


Response to Written Questions Submitted by Hon. John F. Kerry to 
Hon. Julie Brill 

Question 1. Commissioner Brill, can you describe the nature of the harm that con- 
sumers experience due to the insufficiency of the privacy frameworks currently in 
place in the United States? 

Answer. The insufficiency of the privacy frameworks currently employed in the 
United States have resulted in considerable harms that may have been avoided had 
certain privacy protections, as outlined in the FTC’s staff privacy report been in 
place. 

For example, in 2002, the Commission entered into a consent order with Eli Lilly 
and Company resolving allegations that it publicly disclosed e-mail addresses of sub- 
scribers to an e-mail reminder service relating to an anti-depressant drug manufac- 
tured by the company. Certain privacy protections, including an emphasis on pri- 
vacy by design (as recommended in the FTC staff privacy report), may have avoided 
this incident, which unquestionably harmed consumers by publicly disclosing sen- 
sitive health-related information. 

More recently, the Commission entered into a consent order with Google Inc., re- 
solving allegations that, in connection with the launch of its social media product, 
Google Buzz, the private contacts of consumers were made public by default in cer- 
tain cases. By disclosing private e-mail contacts, Google Buzz may have revealed the 
identities of those individuals and organizations that consumers were in contact 
with, including attorneys, health providers, professional recruiters, etc. The disclo- 
sure of this type of information could lead to certain conclusions being drawn by 
others that can negatively impact consumers. For example, the fact that a consumer 
is in contact with a particular medical provider could suggest that he is suffering 
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from a sensitive medical condition. Similarly, the fact that a consumer is commu- 
nicating with a professional recruiter may lead others to conclude he is joh hunting. 
Again, as in the incident involving Eli Lilly and Company, had Google built certain 
privacy protections into its operations, this type of harm may have been avoided. 

Both of these cases involved allegations of deception under section 5 of the FTC 
Act, because the companies had made certain promises to consumers about their in- 
formation practices. Had the companies not made these claims, however, we may 
not have been able to address these incidents. Moreover, currently there is no gen- 
eral legal requirement for companies to disclose their privacy practices, and recent 
evidence exists that companies in the rapidly expanding mobile application field, for 
example, do not. The Future of Privacy Forum think tank analyzed the top 30 paid 
applications at the end of May 2011, and discovered that 22 of them lacked even 
a basic privacy policy. 

Another recent example of unexpected and potentially harmful information use in- 
volves efforts by insurance companies to use data collected online to predict disease 
and insurance risk. Media reports indicate that this may occur without the con- 
sumer’s knowledge or an opportunity to contest the findings. Basic privacy protec- 
tions, such as clear disclosure and adequate choice up front, would allow consumers 
to protect themselves in these situations. 

The potential for harm exists with other types of information as well. For exam- 
ple, consumers have historically relied on state and federal law protections gov- 
erning disclosure of the books they check out of the library and their video rental 
history, but these protections may not reach all the reading or viewing activities of 
consumers as they simply browse the web. If this information were linked to indi- 
vidual consumers, it could be used to make judgments about political affiliation, sex- 
ual orientation, or other sensitive issues. Another example of harm we explored in 
our privacy roundtables involves “sucker lists.” Consumers can find themselves on 
marketing lists targeted to sensitive medical conditions or impulsive purchasing be- 
havior. These lists can facilitate efforts to take advantage of vulnerable consumers. 

Question 2. Commissioner Brill, technology is far more powerful and capable of 
data collection and distribution than it was even 10 years ago. How do technological 
advances such as context awareness (devices being able to tell what you are doing 
and who you are with) and data aggregation impact the framework of existing pri- 
vacy models? 

Answer. As we learned in our series of public roundtables, existing privacy models 
have not kept up with these types of changes in technology. For example, a pure 
notice-and-choice model that relies on lengthy privacy policies has proved unwork- 
able and now, in an era of small screens, even less feasible. Consumers should not 
have to scroll through dozens or hundreds of screens to understand how companies 
collect, use, and share their data. 

Similarly, a model that only addresses quantifiable harms associated with misuse 
of data may not address the full range of consumers’ privacy concerns. For example, 
as you point out, advances in technology have enhanced companies’ ability to store 
and aggregate consumers’ data and use it in ways not understood, intended, or dis- 
closed at the time of collection. Moreover, context aware devices may allow compa- 
nies and others to draw conclusions about consumers that were not previously pos- 
sible. Entities that can track the location of an individual using a Smartphone could 
discern, for example, that the individual spends considerable time at an address ca- 
tering to addiction treatment, or in the vicinity of a municipal building that houses 
the probation office. 

Question 3. Commissioner Brill, some critics of both the recommendations the 
FTC has made to industry and the legislation that I and other members have intro- 
duced is that we do not know enough about collection practices and uses to make 
privacy standards necessary. I believe that we know what constitutes fair informa- 
tion practice principles and we know that a significant portion of collectors of infor- 
mation do not comply with them. I think we should have a law that requires them 
to do so and have proposed one. How do you respond to the criticism that neither 
the FTC nor Congress knows enough to establish baseline rules for how people’s in- 
formation is collected, used, and distributed? 

Answer. I don’t agree with this criticism. I believe that policymakers have suffi- 
cient knowledge of industry practices to encourage certain bedrock principles. The 
Commission has been examining the issues surrounding online privacy for years — 
since at least the mid-1990s. During the three Commission privacy roundtables held 
in 2009-2010, we heard from hundreds of participants from academia, consumer 
groups, industry, trade associations and others. I believe we have a considerable un- 
derstanding of how industry is collecting, using and disclosing information about 
consumers. Because industry will continue to innovate, my goal is to develop uni- 
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versal principles that will continue to be relevant regardless of how industry pro- 
gresses. These principles, including privacy by design, simplified choice and im- 
proved transparency, are ones that can be applicable in nearly all situations, and 
there appears to be widespread agreement that companies should be implementing 
these principles. 

Question 4. Commissioner Brill, data brokers deal in the acquisition of informa- 
tion from an original source of collection to share with other unrelated entities who 
might want to use that information. I have two questions for you as it relates to 
data brokers and their practices: 

Should companies be able to buy from and sell data to data brokers, without the 
consent of the consumers that are the subject of that data? 

Answer. The Commission staffs report supported the idea that companies should 
provide consumers with meaningful choice before sharing their data with third par- 
ties, including data brokers. Our staff report also supported the idea that consumers 
should have reasonable access to information data brokers maintain about them, 
and in appropriate cases, the right to correct this information or have it suppressed. 
Further, the report noted the extent of access and the consumers’ ability to correct 
or suppress information should be scalable to the sensitivity of the data and the na- 
ture of its use. I fully support these proposals. 

Question 4a. If consumers did not consent to collection by a data broker and do 
not have access to or the right of correction regarding erroneous data gathered 
about them without their permission, how can the government help data brokers 
eliminate erroneous data and protect consumers? 

Answer. If data brokers sell information for credit, employment, insurance, hous- 
ing or other similar purposes, they must provide certain protections under the Fair 
Credit Reporting Act (“FCRA”). For example, they must take reasonable steps to en- 
sure accuracy of the information they sell and they must inform purchasers of their 
obligation to provide adverse action notices to consumers. Even when the FCRA is 
not applicable, the FTC staff report proposed that data brokers provide consumers 
with reasonable access to information maintained about them, and in appropriate 
cases, the right to correct this information. I support this proposal. 

Question 5. Commissioner Brill, the FTC made its first call for comprehensive pri- 
vacy protection under a Democratic majority in 1999. This FTC issued a draft report 
calling for privacy by design, simpler more streamlined choices for consumers, and 
transparency in data collection practices and uses last year. As you know, we mod- 
eled our legislation on that report and witnesses on the next panel will speak di- 
rectly to the legislation. Do you have a sense of the proportion of collectors of infor- 
mation that are not today incorporating privacy protections into the design of their 
services or meeting the other baseline fair information practices you lay out? 

Answer. Although we do not have statistical information of that nature, based on 
our investigations and general policy initiatives, it is evident that many companies 
are still lagging in incorporating basic data security standards in their everyday 
practices. We have also seen evidence that privacy disclosures are not being used 
by a substantial numbers of mobile applications (“apps”). Recently, the Future of 
Privacy Forum think tank analyzed the top 30 paid apps and discovered that 22 of 
them lacked even a basic privacy policy. It is clear that work remains to be done 
in order to achieve widespread compliance with basic privacy protections. 

Question 6. Have you had a chance to review the legislation and in your analysis, 
to what extent does it meet the three recommendations for policymakers included 
in the draft report? 

Answer. I am pleased to see that basic privacy protections like those laid out in 
our FTC staff report — such as privacy by design, improved notices, and increased 
transparency — are incorporated into the draft legislation. I believe it would be use- 
ful for Commission staff to continue to discuss the draft legislation with your staff. 

Question 7. In our legislation, we are calling for comprehensive protections that 
allow people to opt out of having their information collected for uses they should 
not have to expect and beyond that, we arguing that we also need other rules, like 
the ability to have consumers ask firms to cease using their information if they lose 
trust in that company as well as the knowledge that companies are required to have 
accountability and security measures in place before they collect people’s informa- 
tion. 

You have said that prior approaches to privacy protection focused solely on 
threats to harm after the harm has occurred or relied on simple notice of collection, 
and that efforts to offer choice of whether or not to have that information secured 
have fallen short. If you believe that the “no harm, no foul” and simple notice and 
choice solutions are inadequate as I do, would you not agree that we need a new 
comprehensive privacy law? 
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Answer. I agree that we need a new approach to consumer privacy. The Commis- 
sion staff embarked on its privacy reassessment and issued its preliminary privacy 
report in recognition of the inadequacies of existing approaches to consumer privacy. 
I also agree that companies should follow basic privacy principles like those laid out 
in the staff report. As you know, however, the Commission has not yet taken a posi- 
tion on legislation. 

Question 8. Commissioner Brill, in a May 4 speech you gave, you responded to 
the criticism that a Do Not Track option would dry up advertising revenue. You said 
that “As the Commission learned during our discussions and research prior to 
issuing our report, when given an informed and more granular choice, most con- 
sumers, including myself, want to receive tailored ads — and will choose to share in- 
formation for that purpose.” 

I agree with that, which is why although we require collectors to give consumers 
a choice about whether their information is collected or not, we did not make a uni- 
versal choice mechanism the centerpiece of our legislation. Given that you think 
most people will not opt-out of having their information collected, are not the other 
fair information practice principles — security of information, clear and specific no- 
tice, ability to access data or call for cessation of its use, and the requirement that 
data be collected and held only as long as necessary, to name a few — just as impor- 
tant or more important than whether or not we can secure a universal do not track 
choice? 

Answer. I agree that comprehensive privacy protections are very important. The 
protections that are reflected in your bill, including data security, privacy by design, 
and clear notices, are critical to ensuring basic privacy protections. Do Not Track 
can be a very effective tool for consumers to exercise choices about the growing in- 
dustry practice of behavioral advertising. Do Not Track will not address other cur- 
rent privacy concerns. 

Question 9. Commissioner Brill, the FTC report calls for different treatment for 
first-party collectors of information and third-party collectors. It is a concept we 
adopted in our legislation as well because we believe a first-party interaction is 
known to the consumer and some degree of trust is implicit. Could you explain the 
difference in your mind and why different treatment is warranted? 

Answer. The Commission staff report recognizes that the relationship that con- 
sumers have with first parties is different from the relationship they have with 
third parties. When a consumer goes directly to a retailer’s website to obtain a prod- 
uct or service, the consumer inherently understands that she is sharing information 
with that retailer. However, when visiting that retailer’s website, the consumer does 
not understand or expect that the retailer will be sharing her information with 
other companies (“third parties”). That is why our staff report recommended that 
consumers be given clear notice and choice about such information sharing with 
third parties. This distinction, however, must be drawn carefully. If first parties are 
defined broadly to include Internet Service Providers (“ISPs”) or other companies 
that have access to almost all consumers’ browsing behavior, then consumers would 
likely have a different expectation about the use of their data by those companies 
than they would a typical retailer. Consumers would undoubtedly be surprised, and 
may in fact be concerned, to learn that ISPs or similarly situated companies could 
use all of their browsing behavior without their consent. For this reason, the staff 
report noted that enhanced consent or even more heightened restrictions would like- 
ly be warranted for practices such as ISPs’ use of Deep Packet Inspection to create 
marketing profiles. 


Response to Written Questions Submitted by Hon. Barbara Boxer to 
Hon. Julie Brill 

Question 1. In your written testimony, you note that the FTC has brought 34 data 
security cases during the past 15 years. During this same period of time, state At- 
torneys General have been free to file cases under state law to protect their citizens. 
What has been your working relationship with state Attorneys General on data se- 
curity matters, and has their ability to prosecute state laws ever conflicted or hin- 
dered the FTC’s prosecution of its cases? 

Question 2. Have the efforts of state Attorneys General assisted the FTC in its 
enforcement of consumer privacy and data security laws? 

Answers 1 and 2. The FTC has a history of working well with state Attorneys 
General on enforcement actions in many types of cases. Having served for many 
years in state Attorneys General offices, I can say from experience that the Commis- 
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sion has worked well with the state AGs. The agency’s continued commitment to 
this cooperation is among my top priorities. 

Commission staff engaged in privacy and data security-related investigations reg- 
ularly interact with staff from the state AGs and enforcement actions are coordi- 
nated when appropriate. For example, in the enforcement action involving 
LifeLock — a company that provided an identity theft prevention service — 35 states 
joined the Commission, together obtaining a $12 million settlement involving 
charges that it used false claims to promote its services. 

As we do with our sister federal agencies, we work closely with state AGs to pre- 
vent any conflicting or duplicative enforcement actions. 

Question 3. I am concerned about the effect of the data breach bill’s preemption 
of California law. As you may know, California law requires a company to notify 
consumers of a breach if there is a reasonable belief that personal information was 
accessed without authorization. Do you have an opinion on whether it is best for 
data breach notification to be triggered on whether there has been unauthorized ac- 
cess to data, or whether notification should be triggered on a company’s determina- 
tion as to whether there is a risk of harm? 

Answer. There may be a risk that requiring notification any time there has been 
unauthorized access to data could result in over-notification to consumers, causing 
them to ignore the important notices. Therefore, generally, it may be useful to have 
companies make an objective reasonable determination as to whether the breach 
will not pose a reasonable risk of harm. In such cases, a notice would not be re- 
quired. 

At the same time, however, for certain sensitive data, unauthorized access to such 
data may create a presumption of harm. For example, in the Commission’s Health 
Breach Notification Rule, the Commission stated that, because of the sensitivity of 
health information, unauthorized access would be presumed to create a risk of 
harm. 

Question 4. In AT&T v. Concepcion, the U.S. Supreme Court ruled that federal 
arbitration law preempts California law banning the use of class action waivers in 
consumer agreements. Some professors and consumer advocates in California have 
expressed concern that this decision could have an effect on state data breach laws, 
such as the strong law in effect in California. Do you believe the Supreme Court’s 
decision could have an impact on states’ ability to pass strong consumer protection 
laws, particularly in the data breach/notification area? 

Answer. I note that the California state data breach law contains a private right 
of action. Cal. Civ. Code § 1798.84. Under the decision in AT&T v. Concepcion, it 
appears that companies handling consumer data could mandate in their consumer 
agreements that consumers address any problem related to data security and notifi- 
cation through individual arbitration. 


Response to Written Question Submitted by Hon. Mark Begich to 
Hon. Julie Brill 

Question. Besides passing legislation is there anything else that can be done to 
assist consumers’ digital education so they have a better understanding of the con- 
sequences of their online and offline data profiles? 

Answer. As we mentioned in the December 2010 preliminary staff privacy report, 
we believe that all stakeholders should work to educate consumers on privacy 
issues, particularly in the digital world. For its part, the FTC has a very active pro- 
gram to educate families about steps people can take to protect their data online, 
and understand how companies may track their online activity. Many school sys- 
tems have ordered materials from the FTC, or adapted them for their own use. We 
encourage schools that aren’t yet using these materials to consider sharing them 
with teachers, parents and students. 

Since October 2009, the FTC has distributed over eight million copies of the guide 
for parents, “Net Cetera: Chatting with Rids About Being Online.” Approximately 
20,000 schools, school systems, law enforcers and other community organizations 
have placed orders. The Net Cetera guide helps adults lead a conversation with kids 
about online privacy and safety, rather than taking a lecturing approach. 

Recently, OnGuardOnline.gov released a new publication designed to educate con- 
sumers about mobile apps, “Understanding Mobile Apps: Questions and Answers.” 
The guide explains what apps are, the types of data they can collect and share, and 
why some apps collect geolocation information. The FTC issued the guide to help 
consumers better understand the privacy and security implications of using mobile 
apps before downloading them. 
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In September 2011, the FTC will release a revamped OnGuardOnline.gov site, in 
coordination with the Department of Homeland Security’s Stop.Think.Connect cam- 
paign. The site, which will feature a blog, will continue to be the Federal Govern- 
ment’s site to help users be safe, secure and responsible online. 


Response to Written Questions Submitted by Hon. Kelly Ayotte to 
Hon. Julie Brill 

Question 1. In a May 2011 interview. Chairman Leibowitz stated that “one of the 
Commission’s priorities is to find a pure Section 5 case under unfair methods of 
competition. Everyone acknowledges that Congress gave us much more jurisdiction 
than just antitrust.” However, in 2009, the U.S. Chamber of Commerce published 
an article that casts doubt on the FTC’s authority to expand its jurisdiction under 
Section 5. The Chamber stated, “The character of many of these proposals, as well 
as their scope and diversity, highlights key disadvantages of extending Section 5 be- 
yond the range of the existing antitrust laws.” Do you agree with the Chamber’s 
views that we should look with skepticism at the expansion of Section 5? If not, why 
not? 

Answer. Congress established the Commission as a bipartisan independent agency 
with a mandate to protect the public from unfair methods of competition. Congress 
intended that the Commission play a unique role in the economic life of the nation. 
As the Supreme Court explained in FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 
239 (1972), in which it thoroughly examined the legislative history of the FTC Act, 
Congress intended for the Commission to proscribe unfair business practices that 
are not condemned under the letter of the antitrust laws. Senator Cummins (R. 
Iowa), one of the main sponsors of the bill establishing the FTC, squarely stated 
on the Senate floor: “[t]hat is the only purpose of Section 5 to make some things 
punishable, to prevent some things, that can not be punished or prevented under 
the antitrust law.” 51 Cong. Rec. 12,454 (1914). While the vast majority of our anti- 
trust enforcement actions involve conduct that falls within the prohibitions of the 
Sherman or Clayton Acts, the Commission has a broader mandate, which it dis- 
charges by challenging, under Section 5, conduct that is likely to result in dem- 
onstrated harm to consumers or to the competitive process. 

Indeed, Section 5 may be the only practicable means to stop harmful conduct that 
cannot be reached under the antitrust laws. The Commission’s recent use of Section 
5 demonstrates that the Commission is committed to using that authority in pre- 
dictable ways that enhance consumer welfare. For instance, the Commission used 
Section 5 in the recent U-Haul settlement to prevent “invitations to collude” by fix- 
ing prices. A competitor’s invitation to its nominal rival to fix prices does not violate 
the Sherman Act, but it serves no lawful purpose and creates an intolerable risk 
that price fixing will result. And even if an invitation to collude is rejected, it can 
undermine the process by which prices are set by independent competitors and lead 
to tacit coordination. In the article you mention, the Chamber of Commerce 
“acknowledgefs] that there are certain, limited forms of anticompetitive conduct that 
may not be covered by the antitrust laws,” including invitations to collude. 

Congress chose to give the Commission its broad mandate rather than handing 
the Commission a list of specific acts to be condemned as unfair because it knew 
that no such list could be, or long remain, sufficiently complete to protect competi- 
tion and consumers. To address concerns about the fairness of not doing so, Con- 
gress limited the remedies available for violations of Section 5. The Commission is 
limited to certain remedies, such as cease and desist orders, to stop harmful con- 
duct; the agency cannot seek a fine or civil penalty as a result of a Section 5 viola- 
tion. Moreover, Section 5 of the FTC Act does not provide for a private right of ac- 
tion, and no party may obtain treble damages under the FTC Act. 

Because of the limited consequences of Section 5 enforcement, the Commission 
uses its Section 5 authority not to punish the wrongdoer, but to fairly eliminate the 
conduct that is likely to injure competition and consumers, allowing honest and 
competitive markets to further consumer welfare. 

Question 2. The Association for Competitive Technology represents a number of 
tech companies including Microsoft, Oracle, and VeriSign. ACT has blogged about 
Chairman Leibowitz’s desire to expand the FTC’s Section 5 authority. It wrote that 
Chairman Leibowitz “is arguing that requiring actual economic analysis of alleged 
“harms to competition” is too high a bar for his agency. They need to be able to pre- 
vent business practices they believe are harmful to competition and consumers, even 
if the economic analysis suggests otherwise. And in this new regime, companies will 
have little guidance as to what the FTC will consider legal vs. illegal.” This doesn’t 
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seem to be the right policy for the agency to be pursuing. Why is the FTC doing 
so? 

Answer. The Commission will not bring a case where the evidence shows no ac- 
tual or likely harm to competition or consumers. As the Chairman explained in his 
testimony before the Senate Judiciary Committee last summer, “Of course, in using 
our Section 5 authority the Commission will focus on bringing cases where there 
is clear harm to the competitive process and to consumers.” That is, any case the 
Commission brings under the broader authority of Section 5 will be based on de- 
monstrable harm to consumers or competition. As the Second Circuit held in the 
Ethyl case,i there must be some “indicia of oppressiveness” before the FTC can 
bring an enforcement action under Section 5. We have adhered to this standard in 
our cases. For instance, in the recent Intel case, the Commission alleged that Intel’s 
behavior harmed consumers and the competitive process in a number of ways, such 
as raising the price of computers; limiting consumer choice; inhibiting competition 
from non-Intel chip makers; reducing innovation by computer makers; and reducing 
the quality of industry benchmarking. Commission staff was prepared to offer proof 
of these harmful effects to establish that Intel violated Section 5, as well as Section 
2 of the Sherman Act. Intel offered to settle the case, resulting in a Commission 
order eliminating the harmful conduct. 

Question 3. Prior to Google’s announcement of an FTC investigation into its com- 
petitive practices there were a lot of news stories about the battle between the FTC 
and the DoJ over which agency would get to investigate the company. In fact, As- 
sistant Attorney General for Antitrust Christine Varney questioned whether two 
agencies should have antitrust review powers. She stated, “I would leave to Con- 
gress how they would like to resolve the overlapping and sometimes inconsistent ju- 
risdiction between the agencies ... I think what business does need is clarity, cer- 
tainty and understanding of the legal framework within which their deals will be 
evaluated.” Do you think that the overlapping jurisdictions of the FTC and Depart- 
ment of Justice — and the fights that they produce — are a good thing for American 
businesses and consumers? If not, how would you propose to fix it? 

Answer. I believe the FTC and the Department of Justice work well together to 
promote and protect competition and the interests of American consumers and busi- 
nesses. Both agencies have areas of expertise, and the differences in their organiza- 
tional structures are quite deliberate and provide certain benefits. For example, the 
FTC was created by Congress as an independent agency with expertise in both con- 
sumer protection and antitrust. One of the principal benefits of the FTC is that it 
is bipartisan and our decisions require consultation and consensus. That means that 
our enforcement efforts remain relatively consistent as we go from Administration 
to Administration. Further, because Congress wisely charged the Commission with 
competition and consumer protection enforcement, we have a broad perspective that 
enhances our work. The FTC also was chartered by Congress to employ non-enforce- 
ment tools, such as issuing reports, performing empirical studies, and advocating for 
pro-competition reforms with other government agencies, to support and strengthen 
the agency’s competition and consumer protection missions. 

This year, the agencies worked closely together on several joint policy projects to 
provide transparency and predictability for businesses subject to the antitrust laws. 
Last August, FTC and DOJ issued revised Horizontal Merger Guidelines, a core doc- 
ument that provides businesses with a clear view into how the agencies conduct 
antitrust merger reviews. This year, the agencies also jointly developed a Proposed 
Antitrust Enforcement Policy relating to cooperation among health care providers 
organizing Accountable Care Organizations under the new Patient Protection and 
Affordable Care Act. These joint statements reflect a high level of consensus and 
cooperation, and serve as models for competition agencies throughout the world. 

It is true that there are occasional clearance disputes over which agency is in the 
better position to investigate a matter. In most instances, one or the other agency 
has greater expertise in the industry of potential concern due to a previous inves- 
tigation, and clearance is given to that agency right away. But in grey areas, such 
as where neither agency has conducted an investigation in the past, both agencies 
can make a claim that a related investigation gives them a head start on the facts 
and issues that are likely to arise. The FTC and DOJ have a process in place to 
resolve clearance disputes, which helps resolve the issue quickly, so that one agency 
can get started on the investigation and minimize any burden on the parties. Re- 
cently, clearance disputes have been rare and are handled quickly. 


Ifi./du Pont de Nemours & Co. v. FTC, 729 F.2d 128 (2d Cir. 1984) (“Ethyl”). 
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Response to Written Questions Submitted by Hon. John F. Kerry to 
Hon. Cameron F. Kerry 

Question 1. General Counsel Kerry, I understand that you have had discussions 
■with our trading partners in Europe, Asia, and the Americas on privacy. I get the 
sense that our disagreements with them are more about form than substance. That 
is, we share values but not a common platform of law. Could you talk about what 
is going on in the rest of the world on this issue and how you and Congress can 
participate in that dialogue effectively? 

Answer. Privacy is a deeply held value in America, reflecting long-standing legal, 
political, and cultural traditions. Our laws express this value. Respect for privacy 
is broadly enshrined within the Bill of Rights, most dramatically in the Fourth 
Amendment. Privacy protections are woven into the fabric of our common law and 
state laws. Congress has further protected various types of information about indi- 
viduals through legislation aimed at specific industries or categories of information, 
such as health, finance, education, and information about children. Some of the com- 
panies that operate in these targeted industries have adopted multi-stakeholder-cre- 
ated codes of conduct which are enforced by the Federal Trade Commission (FTC) 
and by state Attorneys General. Between legislation and these codes of conduct, 
there is strong protection for information about individuals in these specific sectors. 

Other countries have adopted different models. With the advent of Internet com- 
merce, several multinational bodies developed comprehensive data privacy models 
that draw nearly all data privacy contexts under a single legal framework. In large 
part, these laws are grounded in the internationally recognized Fair Information 
Practice Principles that were originally created by the United States Department of 
Health, Education and Welfare back in 1973. In 1995, for example, the European 
Union (EU) passed its Data Protection Directive (DPD), which provides an EU-wide, 
omnibus framework focused on these fair information principles. Similarly, the Or- 
ganization for Economic Cooperation and Development (OECD) has issued Guide- 
lines Governing the Protection of Privacy and Transborder Flows of Personal Data, 
and the Asia Pacific Economic Cooperation has issued a Privacy Framework, which 
also enshrine the Fair Information Practice Principles. Many member countries 
have implemented this framework in their own national laws, including Argentina, 
Australia, Canada, India, Japan, Mexico, South Korea, and all 27 member countries 
of the EU. These laws are generally applicable to information about individuals irre- 
spective of the industry in which the information is obtained. 

Because key American players in the Internet, including online advertisers, cloud 
computing service providers, providers of location-based services, and social net- 
working sites, operate in sectors without specific statutory obligations to protect in- 
formation about individuals, much of the information about individuals currently 
traversing the Internet fall into these “gaps” in commercial privacy legislation. This 
has led to a misperception in some foreign quarters that the United States does not 
have strong privacy protections and does not care about privacy. 

Even though the United States does not have a unitary legal framework in the 
private sector that governs commercial data privacy, our system of protections is 
strong and actively enforced by the ETC, by agencies that regulate in specific sec- 
tors, and by the States. Furthermore, there is an expanding corps of privacy profes- 
sionals in the United States dedicated to considering privacy issues and complying 
with privacy regulations, both domestic and foreign. As the data protection commis- 
sioner of another country said to me at an international conference of data protec- 
tion and privacy professionals: “My colleagues tell me the Americans have no re- 
spect for privacy, but how come all the people who attend these conferences are 
American?” Many recognize that the flexible regime of U.S. privacy laws has facili- 
tated innovation and contributed to development of some of the world’s most ad- 
vanced online services. 

The European Union is currently revising its Data Protection Directive, and we 
are concerned this may result in changes that would restrict cross-border data flows. 
In our engagement with the EU, its member states, and other international part- 
ners, my Administration colleagues and I are working toward minimizing multiple 
compliance burdens and giving businesses and consumers consistent rules and ex- 
pectations. 

The most important thing Congress can do is to enact baseline privacy protection 
to make American commercial data privacy law comprehensive, creating protections 
that would apply to all businesses in the absence of more specific industry legisla- 
tion. The Administration has issued a call for enacting such protections in the form 
of a consumer privacy bill of rights based on the Fair Information Practice Prin- 
ciples our country pioneered long ago. The EU is closely watching our pending pri- 
vacy-related legislation. If Congress were to enact comprehensive commercial data 
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privacy legislation that fills in the gaps in consumer protections, this would dem- 
onstrate renewed U.S. leadership in privacy protection and help prevent fragmenta- 
tion of the Internet that becomes a barrier to the cross-border free flow of informa- 
tion essential to the United States and to global trade and commerce. 

Question la. How many other members of the OECD have a general law of pri- 
vacy for commerce based on the Fair Information Practice Principles? 

Answer. Within the OECD, 32 of the 34 members have a general commercial pri- 
vacy law based on the Fair Information Practice Principles — all members except the 
United States and Turkey. 

Question 2. GC Kerry, we are talking about both privacy and what happens to 
people’s information when security fails. How would a privacy framework based on 
the Fair Information Practices impact data breaches {i.e., only retaining the data 
for as long as needed, implementing good data security, privacy by design, etc?) 

Answer. The premise underlying the Administration’s proposal for federal security 
breach notification legislation is that creating greater transparency and account- 
ability through breach reporting will improve the state of data security practices. 
The Administration’s security breach notification proposal does not recommend any 
specific set of data security requirements. 

Other Administration and Department of Commerce proposals contain rec- 
ommendations to improve security for digital information, including but not limited 
to information about individuals. In the context of consumer data privacy legisla- 
tion, the Administration recommends an approach based on a comprehensive set of 
Fair Information Practice Principles (FIPPs). Widespread implementation of such 
principles could help address some of the conditions that lead to security breaches. 
For example, observing the principle of data minimization — collecting only the infor- 
mation about individuals that is needed and securely deleting or disposing of it after 
it is no longer needed — could lead firms to collect less information about individuals 
that could be subject to unauthorized disclosure. This principle would, of course, 
need to be implemented in such a way that it did not hamper the ability of law en- 
forcement to continue to ensure public safety. Similarly, a “privacy by design” ap- 
proach could lead to the collection of less information about individuals and to the 
incorporation of technical and organizational approaches to keeping it secure. 

Question 3. GC Kerry, in the Department of Commerce report issued last year, 
your agency did not call for a Do-Not-Track option to go in to law. Can you talk 
about the pros and cons of Do-Not-Track proposals and its role as a part of the larg- 
er privacy framework we should be considering? 

Answer. Although it is premature to comment on specific Do-Not-Track proposals 
currently being debated, the Administration believes that Do-Not-Track is exactly 
the type of complex subject that would benefit from the multi-stakeholder process 
outlined in our response to Question 5, where stakeholders with different interests 
and perspectives would work together toward agreement on an enforceable code of 
conduct for the industry. Such a process would allow industry to be responsive to 
changing consumer expectations and rapidly-changing technology without the need 
for additional legislation. 

The FTC’s current work on Do-Not-Track embraces this model, and I applaud the 
leadership of Chairman Leibowitz, as well as browser developers, privacy advocates, 
and others, to provide options for greater control over personal information. 

Question 4. GC Kerry, the FTC and the FCC both have a role in privacy oversight 
today. Senator McCain and I are proposing consolidating that oversight under the 
FTC to the degree that activities telephone and cable companies undertake in col- 
lecting information are already covered by another law. Again, this remains a work 
in progress and we are open to alternative constructions of the bill. Given that cable 
and telephone companies are collecting information for the same business reasons 
as any other market actor, is there a good reason to govern them under different 
agencies or under different constraints? 

Answer. Generally speaking, the Internet Policy Task Force Green Paper and 
other Administration statements have recommended keeping existing sector-specific 
federal data privacy statutes in place and avoiding duplicative regulation. We will 
consider this issue further as we develop the Administration’s proposal. 

Question 5. GC Kerry, in our legislation we include a safe harbor program by 
which industry can work cooperatively with regulators to construct procedures for 
adherence to fair information practice principles that are workable and effective. 
Could you talk to the concept of the multi-stakeholder cooperative process and how 
you think it could work? 

Answer. Multi-stakeholder processes are not an untested idea. Groups such as the 
Internet Engineering Task Force (IETF) and the World Wide Web Consortium 
(W3C) have used transparent, consensus-driven processes to set a wide range of 
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Internet-related technical standards. These processes have been successful, in part, 
because stakeholders share an interest in solving the underlying challenges. Today 
the standards for basic Internet communications protocols that support trillions of 
dollars in global commerce each year are developed through these consensus-driven 
processes. 

The 1990s Internet policy framework began with a series of multi-stakeholder 
events and forums that informed policy and prompted self-regulatory action. Major 
websites agreed to post privacy policies, the nascent online advertising industry de- 
veloped a code of conduct, and the FTC enforced adherence to these voluntary prac- 
tices. 

The Administration believes that the flexibility provided by well-crafted multi- 
stakeholder processes offers the most effective solution to the challenges posed by 
a rapidly changing technological, economic, and social environment. We need a proc- 
ess that is nimble enough to enable stakeholders to respond quickly to consumer 
data privacy issues emerging from new technologies and business practices without 
the need for additional legislation. 

The two key characteristics of a successful multi-stakeholder process for a wide 
variety of privacy challenges — including data security, and Do-Not-Track — are legit- 
imacy and flexibility. 

Legitimacy means that the broad array of stakeholders affected by consumer data 
privacy have a chance to be heard — and actually are heard. The process we envision 
will put industry leaders at the table alongside consumers, privacy advocates, state 
regulators, academics and appropriate federal agencies. We want to engage all of 
them in a dialogue about how to guarantee the privacy consumers have a right to 
expect, while enabling businesses to develop new technologies, products, and serv- 
ices, and meeting legitimate public safety concerns and other important public inter- 
ests. 

Flexibility ensures that the process continues to adapt to changes in technology 
and services in the digital economy. The issues will touch on technology, business 
needs, individual values, U.S. law, and international law and policy among many 
other things. The process needs to accommodate these different, changing consider- 
ations. 

We see a need for our government to take the initiative to convene stakeholder 
discussions. We are convinced that Executive Branch involvement as a facilitator 
will inject energy, legitimacy, and urgency to get stakeholders moving. 

The Department of Commerce will initiate the process by working with private 
sector stakeholders, consumer groups, privacy advocates, and government partners, 
to identify specific arenas where privacy practices are unclear and clear rules would 
benefit consumers and businesses. Once convened, these stakeholders will hold the 
pen when drafting the codes. The end goal is to produce an enforceable code of con- 
duct that meets FTC approval. 


Response to Written Question Submitted by Hon. Mark Begich to 
Hon. Cameron F. Kerry 

Question. Besides passing legislation is there anything else that can be done to 
assist consumers’ digital education so they have a better understanding of the con- 
sequences of their online and offline data profiles? 

Answer. As technologies mature, consumers will naturally become more educated 
in the privacy issues related to those technologies. However, there are certain ac- 
tions Congress and the Administration can take that will help speed up that con- 
stantly-evolving process. 

Congressional hearings on commercial data privacy have helped raise awareness 
of data privacy practices. Forums convened by agencies like the Department of Com- 
merce and the Federal Trade Commission have also increased awareness and inter- 
est in the issues surrounding consumers’ data profiles. There are also many privacy 
conferences that explore these issues and help educate privacy professionals, who 
in turn help educate an increasingly sophisticated population of consumers. 

We will continue to engage with the private sector as conveners, speakers, partici- 
pants, and listeners at privacy conferences. We will also continue leading initiatives 
like the National Strategy for Trusted Identities in Cyberspace, which is focused on 
enhancing consumers’ convenience, security, and privacy in online transactions, and 
the National Initiative for Cybersecurity Education, which has as one of its three 
strategic goals to raise awareness about the risks of online activities. This kind of 
leadership and participation has sped-up the production of tools that provide con- 
sumers more awareness and control over their online data profiles, such as browser 
Do-Not-Track tools and privacy architecture. 
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Response to Written Question Submitted by Hon. Claire McCaskill to 

Austin C. Schlick 

Question. The United States may need a national framework to ensure that per- 
sonal data remains secure in an increasingly electronic world and to mitigate harm 
in the event of a breach. As we consider legislation, it is important that we do not 
end up with a patchwork of federal data security laws, with multiple regulations 
from multiple federal agencies. That doesn’t help consumers and could create com- 
petitive disparities that could distort the marketplace and create confusion. Do you 
agree that it is not productive to have multiple agencies with authority over the 
same parties, creating possible duplication of efforts and confusion and disparities 
for consumers and businesses? 

Answer. A uniform and consistent set of privacy and data security standards em- 
ployed consistently across government could protect consumers and provide cer- 
tainty to companies that handle personal data. These standards would not, however, 
preclude sector-specific privacy regimes overseen by experienced expert agencies. In 
particular, different types of consumer data may warrant different treatment, and 
the same type of information might warrant different treatment by companies in 
different industries. For example, an individual’s health-related information may 
raise different concerns than the same individual’s consumer spending-related infor- 
mation, and overseeing data security with respect to these different types of data 
may be most successfully done by the agencies that have expertise and experience 
with the industries and types of data at issue. 

The FCC, for instance, has extensive experience protecting consumers through the 
agency’s authority over the privacy practices of communications providers. Section 
222 of the Communications Act requires telecommunications carriers to safeguard 
information about, for example, the numbers consumers dial, the length of time they 
spend using the network, and their location when they use wired or wireless serv- 
ices to make calls. Over the years, the Commission has responded to evolving tech- 
nologies and networks by promulgating increasingly protective rules to safeguard 
consumers’ privacy. Our network-focused privacy and data security rules are sound, 
settled, and legally tested. Sections 338 and 631 of the Communications Act also 
protect personal information. These provisions establish requirements for satellite 
and cable television providers’ treatment of their subscribers’ personally identifiable 
information, including information about the extent of any viewing or other use by 
the subscriber of a cable or satellite service or other service provided by the cable 
or satellite operator. The requirements include clear and conspicuous notice about 
collection and use of subscribers’ personal data, limiting disclosure of personal data, 
and remedies for subscribers who suffer a violation of these provisions. 

The FCC also has experience with successful collaboration in areas of overlapping 
agency jurisdiction. Working in parallel with the FTC, the FCC adopted “Do-Not- 
Call” regulations under Section 227 of the Communications Act. The FCC and the 
FTC also collaborated on implementation of the CAN-SPAM Act, with the FCC 
adopting rules that prohibit sending unwanted commercial e-mail messages to wire- 
less accounts without prior permission. The FCC and the Department of Justice en- 
force Section 705 of the Communications Act, which prohibits unauthorized inter- 
ception of radio communications and unauthorized disclosures of wire or radio com- 
munications. 


Response to Written Question Submitted by Hon. Mark Begich to 
Austin C. Schlick 

Question. Besides passing legislation is there anything else that can be done to 
assist consumers’ digital education so they have a better understanding of the con- 
sequences of their online and offline data profiles? 

Answer. Consumer education is an ongoing priority for the FCC, particularly in 
the area of privacy and data security. The National Broadband Plan specifically rec- 
ognized the importance of educating consumers about the potential consequences of 
their online profiles and helping them manage those profiles in a manner that maxi- 
mizes the privacy and security of the information. 

The Commission’s E-rate program also requires that any school receiving E-rate 
funding for Internet access or internal connections must have an Internet safety pol- 
icy. At Congress’s direction, we are implementing a new requirement for 2012 that 
those policies must provide for educating minors — at the school’s discretion — about 
appropriate online behavior. 

The FCC also participates in numerous consumer education initiatives across the 
Federal Government in the area of privacy and data security. The FCC is an active 
participant in OnGuard Online, a website sponsored by several government and pri- 
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vate organizations that helps consumers guard against fraud and identity theft on 
the Internet. The FCC also is part of the public/private National Initiative for Cy- 
bersecurity Education partnership that encourages sound cybersecurity practices, 
including protection of consumers’ online profiles. The FCC will continue to support 
these and other initiatives that educate consumers about the importance of pro- 
tecting their online identities. 


Response to Written Questions Submitted by Hon. John D. Rockefeller IV 

TO Stuart K. Pratt 

Question 1. Mr. Pratt, while your testimony focuses on use of information by data 
brokers for fraud prevention, law enforcement and child protection, the industry is 
much broader than that. According to news reports, consumer information is col- 
lected, aggregated, and sold by data brokers for marketing and other purposes. To 
provide a fuller record, please provide the following: 

• A comprehensive list of data brokers and the types of consumer information 
they collect by entity, how the data is acquired, how it is aggregated, and how 
it is marketed to potential buyers. 

Answer. There may be companies that produce valuable products for American 
businesses who want to reach customers and which fall under the definition of the 
term data broker as your bill defines it. However, CDIA does not represent these 
types of companies and cannot answer for them. CDIA is an international trade as- 
sociation with more than 190 member companies, providing our nation’s businesses 
with the data tools necessary to manage risk in a wide range of consumer trans- 
actions. These products include credit and mortgage reports, identity verification 
tools, law enforcement investigative products, fraudulent check transaction identi- 
fication systems, employment screening, tenant screening, depository account open- 
ing tools, decision sciences technologies, locator services and collections. Our mem- 
bers’ data and the products and services based on it ensure that consumers benefit 
from fair and safe transactions, broader competition and access to a market which 
is innovative and focused on their needs. We estimate that the industry’s products 
are used to manage risk in more than nine billion transactions per year. The 
sources of data used to develop these products vary. Examples of sources include 
financial institutions, insurance companies, retailers, public records, utilities compa- 
nies, telecommunications companies and consumers, themselves. 

Question la. A detailed and comprehensive list of the types of entities purchasing 
data from data brokers and the types of information and purpose for purchasing 
such information. 

Answer. The users of risk-management products produce by our members will 
vary. We include a range of uses in our testimony. Examples include insurance com- 
panies, financial institutions of all types, law enforcement agencies, government en- 
titlement program providers, federal, state and local government administrative and 
regulatory agencies, retail merchants, public and private universities, non-profit or- 
ganizations, collection agencies, child support enforcement programs and agencies, 
centers for missing and exploited children, retailers, healthcare providers and more. 

The specific purposes for purchasing the data for risk management will vary. 
Some purchase data to verify consumers’ identities in order to prevent identity theft 
and to comply with federal laws and regulations relating to this crime such as Sec- 
tion 326 of the USA Patriot Act or FACT Act Red Flags Rules. Others will purchase 
data to make sure that the consumer with whom they are doing business has the 
ability to pay for the product or that the premium is set fairly relative to the risk. 
An online retailer or government agency may purchase data to ensure that address- 
es to which packages or mailings are sent to the most up-to-date address and not 
to fraudulent addresses. Child support enforcement agencies and those which focus 
on missing and exploited children use location and investigative data tools to en- 
force orders and to prevent child abuse. 

Question lb. Your understanding of what existing laws cover, if any, the collec- 
tion, maintenance, and transfer or sale of each type of information described in your 
responses to the requests above. 

Answer. With regard to CDIA’s members there are numerous laws at the federal 
and state level that regulate the collection, maintenance, and transfer or sale of in- 
formation, including but not limited to: 

• The Federal Fair Credit Reporting Act (FCRA) as well as various state Fair 
Credit Reporting Acts; 

• Title V of the Gramm-Leach-Bliley Act (GLBA); 
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• The Drivers Privacy Protection Act (DPPA); 

• The Health Insurance Portability and Accountability Act (HIPAA); 

• The Children’s Online Privacy Protection Act (COPPA); 

. The FTC’s Do Not Call list; 

• The Fair Debt Collection Practices Act; 

• Section 5 of the FTC Act and similar state UDAP Statutes; 

• Equal Credit Opportunity Act; 

• The CAN-SPAM Act; 

• The Telemarketing Consumer Protection Act; and 

• Numerous state data protection/data security/data breach notification laws. 

Question 2. Mr. Pratt, you suggest the data broker provision in Senator Pryor’s 
and my bill will undermine law enforcement and fraud prevention even though our 
bill makes an explicit accommodation for “governmental, child protection, and fraud 
prevention purposes.” Given this exemption, why do you believe the bill would un- 
dermine those efforts? 

Answer. As suggested in our oral remarks offered at your hearing, it is our view 
that the committee has a tremendous opportunity to pass new law establishing a 
national standard for ensuring the security of sensitive personal information and en- 
suring that consumers are notified when the loss of sensitive personal information 
poses a significant risk of identity theft. CDIA continues to support the enactment 
of an administratively-enforced national standard for both concepts. 

With regard to the information broker provision consider the following specific 
concerns which are drawn from our September 22, 2010 testimony offered at a legis- 
lative hearing on S. 3742, the Data Security and Breach Notification Act of 2010 
and which remain in this version of that legislation, as well. 

Interference with Fraud Prevention, Identity Protection and Location Services — 
RVI products such as those designed for fraud prevention and location are produced 
under laws such as the Gramm-Leach-Bliley Act and Section 5 of the Federal Trade 
Commission Act. 

The definition of information broker does not exclude financial institutions regu- 
lated under GLB. Therefore products developed under the data-use limitations 
found in GLB Title V, Section 502(e) are adversely affected by the information 
broker provision. Neither a product developed for fraud prevention nor location 
should be subject to accuracy, access and correction standards since neither product 
is used to deny or approve an application, etc. If they were designed for the purpose 
of making decisions about a consumer’s eligibility, then they would already be regu- 
lated under the FCRA. 

Consider the effect of the information broker duties on fraud tools. While Section 
2(b)(3)(A)(ii) provides a limited exception for fraud data bases consisting of inac- 
curate information, the exception is not sufficient, though we do applaud the effort 
to try and address the problem of imposing an accuracy standard on fraud tools. 
Fraud prevention tools are built based on data about confirmed fraud attempts, data 
about combinations of accurate and in accurate data used for fraud attempts and 
more. Fraud tools are designed to identify transactions or applications that are like- 
ly to be fraudulent in order to allow the user to take additional steps to prevent 
the crime and still process legitimate transactions. The current exception does not 
appear to address all types of fraud prevention tools used today and further the lim- 
itations of the exception impose statutory rigidity that will prevent the design of 
new tools as the strategies of the criminals change. It is our view that applying an 
accuracy standard to any aspect of a fraud prevention system that is not used to 
stop a transaction or used to make a yes-or-no decision does not make sense. 

Similarly it is wrong to subject fraud prevention tools to an access and correction 
regime. While Section 2(b)(3)(iv) attempts to exclude fraud prevention tools from the 
duty to disclose (and therefore any right to dispute data), the exception is tied to 
a variety of tests such as where the use of the tool would be “compromised by such 
access.” It is our view that fraud tools, because they are not used to make decisions, 
should be absolutely excluded from duties to disclose. If details of a fraud tool are 
disclosed it is akin to disclosing the recipe for fraud prevention. The fact that the 
exception to disclosure is not absolute leaves open the risk that a tool will have to 
be disclosed which simply reduces the value of fraud prevention tools which are pro- 
tecting consumers. This result works against the premise of the bill which is to pro- 
tect consumers from crime, particularly identity tbeft. 

As discussed in this testimony, location services are materially important to how 
risk is managed. These tools are not designed to be used for decisionmaking and 
thus are not regulated under the FCRA, which already regulates all data used for 
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eligibility decisions (including the imposition of accuracy, access and correction 
rights). Location services cannot have an accuracy standard applied to them as this 
bill would propose. The tools are about helping local law enforcement investigate 
crimes, attorneys to locate witnesses, and federal agencies to cross match data in 
the pursuit of kidnappers, etc., nonprofit hospitals to collect debts from patients who 
have the ability to pay but refuse to do so and in the enforcement of child support 
orders. These systems are designed to, for example, help a user identify possible 
connections between disparate records and ultimately possible locations for the sub- 
ject of the search. Measuring the quality of the possible connections is not akin to 
an accuracy standard, nor should an accuracy standard be applied to “possible 
matches.” Further, providing access to a database for purposes of error correction 
could affect the quality of the systems since matches are sometimes based on com- 
binations of accurate and inaccurate data. Ultimately, the data is not used to deny 
a consumer access to goods or services and thus CDIA opposes the application of 
accuracy, access and correction duties to these fraud prevention systems or RVI 
services.” 

Thank you for this opportunity to add to your hearing record. 


Response to Written Question Submitted by Hon. Roger F. Wicker to 

Stuart K. Pratt 

Question. Mr. Pratt, in your testimony, you cite the litany of current laws aimed 
at data security and protecting consumers’ personal information, such as the 
Gramm-Leach-Bliley Act and HIPAA. Further, you caution against creating “over- 
lapping burdens” where companies are already in compliance with security and noti- 
fication standards for sensitive personal information. As we explore this issue, how 
can we ensure creating a national standard will not overlap with these laws and 
create additional burdens on industry? 

Answer. It’s our firm belief that one very definite way to eliminate some statutory 
and regulatory overlap as well as to avoid misapplication of data management prin- 
ciples is to eliminate the “data broker” provisions from the bill entirely. In doing 
this the Senate Commerce Committee can focus on the tremendous opportunity to 
move a bill that will establish an administratively-enforced national standard for se- 
curing sensitive personal information and notifying consumers when the loss of sen- 
sitive personal information poses a significant risk of identity theft. 

Another specific step you can take is to ensure that where a person is already 
subject to a duty established by other federal law, regulation or agency guidance to 
secure sensitive personal information or to notify consumers where the loss of sen- 
sitive personal information poses a significant risk of identity theft, that the person 
is deemed in compliance with the proposed bill’s duties. While there are some excep- 
tions included in the bill, they are incomplete because the bill proposes that entities 
must be “in compliance with” and not merely “subject to” these duties. By adopting 
this “in compliance with” test, the current bill essentially requires all U.S. busi- 
nesses that are subject to both laws to comply with both laws, since falling out of 
compliance with one leads to being out of compliance with both. This is entirely the 
wrong result, and CDIA urges the Committee to strike this test in favor of a simple 
set of exceptions tied to a “subject to” standard. 

Finally, the bill must establish a “field preemption” standard which applies to all 
entities who are either subject to the bill or who are deemed in compliance with the 
bill. This type of preemption ensures that states cannot alter or affect in any way 
the operation of the national standards for data security and breach notification. If 
preemption is not perfected then the bill will result in persons still being subject 
to new or slightly altered state laws. 

We are happy to provide your staff with amendatory language for each of the con- 
cerns outlined above. 


Response to Written Question Submitted by Hon. John D. Rockefeller IV 

TO lOANA Rusu 

Question. What types of consumer information is currently being collected by data 
brokers, for what purposes, and is there adequate transparency for consumers? 
Would the data broker provisions in the Data Security and Breach Notification Act 
give consumers greater protections than existing law? 

Answer. One significant problem associated with data collection activities carried 
out by many information brokers is that few people know exactly what types of in- 
formation are being collected, and how they are being used. Consumers often do not 
even realize that these brokers exist, much less that they are collecting information 
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about consumer behavior which can then be used to alter important outcomes for 
individuals. 

Nevertheless, there have been some reports and investigations into the activities 
of these companies. For example, a recent Washington Post article entitled, “Little- 
Known Firms Tracking Data Used in Credit Scores” ^ detailed the activities of what 
it called the “fourth bureau:” private companies that compile and sell consumer data 
to entities such as lenders, landlords, employers and health-care providers. Unlike 
the three major credit bureaus, which track consumer scores based on credit card 
activity, auto notes and mortgages, the fourth bureau tracks and investigates tradi- 
tionally unreliable indicators of creditworthiness, such as magazine and cable sub- 
scriptions, utility bills, and child care tuition payments. The Fair Credit Reporting 
Act sets standards for handling of credit information, but it does not necessarily 
cover all the activities of the “fourth bureau,” and enforcement of this law has heen 
spotty. 

Most American consumers have no way of knowing that this information is being 
collected about them and used in ways that could affect their interest rates, hous- 
ing, and employment. Even when individuals find out about the “fourth bureau’s” 
existence, accessing and correcting data about them can be very difficult. Consumers 
Union submitted a letter last week to both Senate and House Commerce and Bank- 
ing Committees, asking that Congress investigate the activities of these entities and 
address concerns surrounding consumer privacy and FCRA compliance. 

In addition, in its December 2010 staff report, the Federal Trade Commission ac- 
knowledged that information brokers currently have the ability to collect and aggre- 
gate data from a wide variety of online and offline sources, as well as public and 
private sources. Data brokers may, for example, contract with retailers to acquire 
consumer purchase information.^ Some also maintain lists of individuals that are 
considered particularly susceptible to certain marketing campaigns or scams. ^ Data 
brokers can use collected information for a variety of purposes, including providing 
identity verification services to third-parties. Information thus obtained, whether 
correct or erroneous, could be used to deny individuals access to funds, admission 
to an event, or membership in a group. Such uses may fall outside of the FCRA, 
thus depriving consumers of the protections offered by the Act.^ 

Because data brokers do not interact directly with consumers, they often do not 
notify consumers when data is being collected. Many also do not provide consumers 
with some means to opt out of the collection. As noted in the FTC report, the most 
troublesome aspect of this business is that it is invisible to consumers, and allows 
the aggregation of massive amounts of information about them into consumer pro- 
files that can be used for a variety of unanticipated purposes. Such secret dossiers 
pose significant privacy concerns. 

The information broker provisions in S. 1207 would impose standardized, manda- 
tory requirements on these companies. Under the bill, information brokers would 
have to provide consumer access to collected information, as well as a process for 
consumers to dispute and correct erroneous information. Data brokers would also 
have to maximize accuracy of collected information. In addition, the bill prohibits 
information brokers from engaging in pre-texting in order to obtain consumer infor- 
mation. These provisions would provide consumers with greater protections than 
those currently existing in law, because they would cover entities that may not tech- 
nically fit into the traditional FCRA definitions. Those companies have often argued 
that they are not subject to FCRA. This bill would ensure that even in situations 
where FCRA does not apply, information brokers still grant consumers access to in- 
formation about them, and make reasonable efforts to ensure information is accu- 
rate. 

As this legislation moves forward, we hope your Committee will also consider 
strengthening the information broker section by including a requirement that when- 
ever an entity uses information furnished by these brokers to make an adverse deci- 
sion about a consumer, that consumer must receive notification. Access and correc- 
tion rights are certainly important. However, if a consumer does not know that bro- 


^Ylan Q. Mui, “Little-Known Firms Tracking Data Used in Credit Scores,” Washington Post, 
July 16, 2011, available on the web at: http:! 7 wwiv.ivashingtonpost.com /business ! economy Hit- 
tle-known-firms-tracking-data-used-in-credit-scores / 2011 105 1 24 1 gIQAXHcWll_story.html. 

2 Fed. Trade Comm’n, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed 
Framework for Businesses and Policymakers,” (2010) (preliminary FTC staff report), available 
at http:/ / www.ftc.gov / os / 2010 / 12 / 101201privacyreport.pdf. 

^Id. at 31, referencing Written Comment of Chris Jay Hoofnagle, University of California, 
Ber/zeley School of Law, cmt. #544506-00012, at 5 (quoting Karen Blumenthal, “How Banks, 
Marketers Aid Scams,” Wall St. J., July 1, 2009). 

Hd. at 74, note 171. 
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kers are collecting and selling personal information about them, they will have no 
way of knowing they should access and correct erroneous data. 


Response to Written Questions Submitted by Hon. Barbara Boxer to 

lOANA Rusu 

Question 1. As you know, California was the first state to enact data breach and 
notification laws in 2002, which became effective in 2003. California has been a 
leader in the area of data breach laws, and has continued to pass laws enhancing 
protections for consumers since the initial law. However, I am concerned about the 
state law preemption provisions in S. 913 (Kerry-McCain privacy bill) and S. 1207 
(Pryor-Rockefeller data security bill), which would prevent California enacting laws 
in the future to deal with new threats to consumers. Do you believe that leading 
states such as California should be preempted from improving their consumer pro- 
tection laws? 

Answer. Consumers Union supports the idea that states should be “laboratories 
of democracy,” constantly evaluating existing law and proposing new solutions for 
rising issues. Our organization supported the California breach law passed in 2003 
and we have a long history of working with state legislatures to pass initiatives that 
would protect consumers. As a result, we would certainly prefer that any federal law 
addressing data breach and notification set out a floor, not a ceiling, allowing states 
to innovate and address new threats to consumers. 

However, we are also concerned that the current patchwork of state notification 
rules may prove unworkable in the long run. We believe that the pre-emption lan- 
guage currently included in S. 1207 is narrowly drawn. 

In addition, we are also particularly concerned about the activities of information 
brokers. Too often, consumers have no idea that these hidden entities are tracking 
their behavior and collecting information about them from online and offline 
sources, which is then aggregated and used to create comprehensive consumer pro- 
files. We believe that the provisions of the bill, which would require access, accu- 
racy, and a process for consumers to dispute and correct erroneous information, 
would go a long way toward bringing more transparency to the activities of these 
data tracking companies. As a result, although Consumers Union would prefer that 
the bill not preempt state initiatives, we believe that the overall bill would increase 
protections of consumer data. 

Question 2. As you may know, California law requires a company to notify con- 
sumers of a breach if there is a reasonable belief that personal information was 
accessed without authorization. However, this law would be preempted by S. 1207. 
Do you have an opinion on whether it is best for data breach notification to be trig- 
gered on whether there has been unauthorized access to data, or whether notifica- 
tion should be triggered on a company’s determination as to whether there is a risk 
of harm? 

Answer. In testimony to Congress on this matter. Consumers Union has repeat- 
edly pointed out that the strongest state notice of breach laws do not require a find- 
ing of risk before mandating consumer notification. Although Consumers Union 
would prefer that consumers receive notification whenever their personal informa- 
tion is compromised, if there is to be a standard for risk, then Consumers Union 
would prefer the approach taken by this bill, where the risk is considered as an ex- 
emption rather than as an affirmative trigger. Under an “exemption” approach, a 
company with a security breach has to qualify for the exemption by showing that 
there is no reasonable risk of harm. Insufficient information about the level of risk 
does not eliminate the obligation to tell consumers about the breach. 

Question 3. Do you believe that state Attorneys General play a vital role in the 
enforcement of consumer laws, such as data security and privacy laws? 

Answer. Consumers Union strongly believes that state Attorneys General must be 
involved in the enforcement of consumer laws such as S. 1207. State attorneys gen- 
eral have been at the forefront of notice of data breach issues and have played an 
invaluable role in addressing identity theft and data breach. With more cops on the 
beat, consumers’ personal information will be better protected. 

Question 4. In AT&T v. Concepcion, the U.S. Supreme Court ruled that federal 
arbitration law preempts California law banning the use of class action waivers in 
consumer agreements. Some professors and consumer advocates in California have 
expressed concern that this decision could have an effect on state data breach laws, 
such as the strong law in effect in California. Do you believe the Supreme Court’s 
decision could have an impact on states’ ability to pass strong consumer protection 
laws, particularly in the data breach/notification area? 
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Answer. Consumers Union is troubled by the U.S. Supreme Court’s finding in 
AT&T V. Concepcion. The Court’s decision to strike down the California law in ques- 
tion appears to allow companies to draft contracts that legally bar consumers from 
obtaining redress through class-action lawsuits or even group arbitration. Con- 
sumers Union believes that class actions and group arbitration represent important 
tools for consumers to challenge companies that have wronged them, particularly in 
cases where many consumers have suffered relatively small economic harms. As a 
result, we are concerned that under this ruling, strong state consumer laws may be 
nullified by provisions buried in consumer contracts. 


Response to Written Questions Submitted by Hon. Claire McCaskill to 

Tim Schaaff 

Question 1. In reviewing proposals that address data security, it is important that 
Congress learns more from industry sectors about how they are dealing with these 
issues. How has the hacking incident of 77 million of your customers’ accounts af- 
fected your business and approach to data breach? 

Answer. The hacking incident led us to take action that significantly disrupted 
my company’s network business and our consumers’ use of our services, and, for the 
entire industry, these illegal attacks highlighted the widespread problem of cyber 
security. To protect our network and our consumers from online hackers, we felt 
compelled to shut down our services. We worked hard to restore the services and 
to keep our customers informed. We asked our customer for their patience and un- 
derstanding. We have been rewarded with a strong return of our customers to our 
network. Since coming back online there has been a net increase of approximately 
3 million new user accounts. Following the attacks, we reevaluated our approach to 
data security and enhanced our security in numerous respects. 

Question 2. What have you learned from the incident and what internal steps are 
you taking to address it from happening again? 

Answer. We have learned that the problem of cyber crime is insidious and perva- 
sive, that the hacking community has become increasingly sophisticated and pos- 
sesses extraordinary ability to assimilate and share information, and that, therefore, 
a more-coordinated effort among all industry stakeholders is necessary to best ad- 
dress the issue. Along with advocating that type of cooperative approach, as we do 
here, to guard against future attacks, we have taken various internal steps to en- 
hance the security controls we already had in place, including: 

• added additional automated software monitoring and configuration manage- 
ment to help defend against new attacks; 

• enhanced levels of data protection and encryption; 

• enhanced our capabilities to detect software intrusions within the network, un- 
authorized access and unusual activity patterns; 

• implemented additional layers of firewalls; 

• began sharing the knowledge, expertise, and available tools acquired by SNEA 
during the attack with other Sony companies; 

• expedited a planned move of the system to a new data center in a different loca- 
tion with enhanced security; and 

• created a new Chief Information Security Officer position at SNEA. 

Question 3. What processes have been working for you and what do you need to 
improve? 

Answer. Our communications with our consumers and our Welcome Back program 
have been working well for us. Our consumers have responded, and we are at or 
surpass pre-breach metrics for engagement with our customers. We believe that 
support between industry and government should be improved. Companies are effec- 
tively defending against highly sophisticated hackers by themselves with no real 
means or ability to investigate beyond their own servers if a breach occurs. A strong 
coalition among government, industry, and consumers is needed to insure that the 
Internet is not lawless and that online commerce can grow unimpeded. We believe 
it would be extremely helpful for the public and private sector to develop informa- 
tion-sharing processes that help legitimate business without inadvertently sup- 
porting hackers. In addition, means must be found so that consumers, government, 
and industry can work more closely together to enact strong laws, promote strong 
enforcement of those laws, and educate consumers about the very real threats that 
exist online. 
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Response to Written Questions Submitted by Hon. Roger F. Wicker to 
Thomas M. Lenard, Ph.D. 

Question 1. In previous hearings of this Committee on online privacy, industry 
representatives have cited the success of self-regulatory approaches and the impor- 
tance of enabling flexibility in protecting consumer privacy. In light of these self- 
regulatory, principles-based efforts, do you think it would be premature for us to 
move forward with prescriptive regulations? 

Answer. There is no evidence that current approaches are not working. Indeed, 
the recent Department of Commerce Green Paper, which did not recommend pre- 
scriptive regulations, observed that “existing U.S. commercial data privacy policy 
has enabled the digital economy to flourish” (DOC Green Paper, p. 1). This raises 
questions regarding why that policy should be changed. 

Proponents of prescriptive regulation have not thus far demonstrated that there 
is market failure or that consumers are being harmed under the current regime. 
Therefore, there is no basis for new regulation. If such a basis were established, 
there would still be the need to demonstrate that the benefits of any proposed regu- 
lation exceed its costs. 

Question 2. If we proceed down the path of prescriptive one-size-fits-all regulation 
do you believe there is a chance it could actually have a reverse effect and com- 
promise providers’ ability to protect consumers’ personal information? 

Answer. Regulating the collection, use and/or retention of data by legitimate firms 
does little or nothing to deter fraud. It may, however, increase the risk of fraud by 
making it more difficult for sellers to have the information necessary to determine 
if a potential buyer is fraudulent. 

The ability to authenticate an individual’s identity for purposes of online activities 
will become increasingly important as the Internet develops. Authentication often 
requires the combination of various sources of data, which is made more difficult 
(and in some cases, impossible) by various regulatory proposals. Some proposals, 
such as requiring consumers have access to their data, would also make it easier 
for fraudsters to access data, thereby making authentication more difficult and in- 
creasing the risk of fraud. 

If consumers overestimate the risk of online activities — for example, as a result 
of receiving numerous notices of data breaches — they may be induced to shift their 
activities offline. This would be exactly the wrong thing to do, because the evidence 
shows that consumers would reduce their risks by shifting more of their activities 
online. 
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